Datatilsynet (Denmark) - 2023-431-0001
From GDPRhub
| Datatilsynet - 2023-431-0001 (Helsingor decision no. 5) | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(e) GDPR Article 58(2)(d) GDPR Folkeskoleloven (The Public School Act) § 2(1) and § 18(1) |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 01.12.2019 |
| Decided: | 30.01.2024 |
| Published: | 30.01.2024 |
| Fine: | n/a |
| Parties: | 53 Danish municipalities KL Kommunernes Landsforening (Local Government Denmark) |
| National Case Number/Name: | 2023-431-0001 (Helsingor decision no. 5) |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | Rie Aleksandra Walle |
In its fifth Chromebook case decision, the Danish DPA held that 53 municipalities unlawfully shared students' personal data with Google for some of Google's own development purposes, breaching Article 6(1)(e) GDPR.
English Summary
Facts
Following four previous decisions by the Danish DPA into the usage of Google Chromebooks and Workspace for Education by the municipality of Helsingor, the DPA began its investigation into 53 Danish municipalities, between 8 September and 24 October 2022, regarding their use of Google Chromebooks and Workspace for Education.
The DPA requested the municipalities for further clarifications and also asked them to carry out a data protection impact assessment. On 12 September 2022, the DPA was informed by the KL (Local Government Denmark) to be representing the municipalities and that it would submit a joint response on behalf of all affected municipalities. On 30 June 2023, the KL provided the DPA with a complete response containing documentation by all municipalities.
Holding
The DPA stressed that processing of personal data is lawful if done on the basis of Article 6(1) GDPR. Specifically, public authorities can process personal data to carry out a task in the public interest under Article 6(1)(e) GDPR, as in the present instance.
Indeed, the DPA noted that under section 2(1) and section 18(1) Folkeskoleloven (The Public School Act), the municipalities, as part of their responsibility for primary and lower secondary schools, have the power to organise the teaching environment, such as select teaching and working methods, teaching materials, etc.
However, during the investigation, the DPA found that from the students' usage of Google Chromebooks and Workspace for Education, Google received and processed for its own purposes data about the individual student's use of the tools, including information about the computer's settings, about the use of the tools, applications, and Chrome browser.
Consequently, the DPA stated that the municipalities could not, under section 2(1) and section 18(1) of the Public School Act, in conjunction with Article 6(1)(e) GDPR, share the students’ personal data for purposes related to maintain and improve Google Workspace for Education, ChromeOS and Chrome browser, and measure performance and develop new functions and services in ChromeOS and Chrome browser. Indeed, these purposes did not only cover the development of the specific teaching and learning resources purchased by the municipalities but also the general development of Google's products. Meanwhile, according to the Public School Act, the municipalities could not disclose personal data about students to the supplier of teaching and learning resources for the purpose of the supplier's general further development of its IT products using this information.
Therefore, the DPA established that the municipalities breached Article 6(1)(e) GDPR and ordered all 53 municipalities to bring their processing in line with Article 5(1)(a) GDPR, Article 6(1) GDPR, by ensuring they have a legal basis for all processing activities, and be able to demonstrate this in line with Article 5(2) GDPR.
The DPA also suggested three ways of achieving compliance, although only as examples since it is up to the municipalities, as the controllers, to determine and decide how to comply with the DPA's order. Two of these cases necessarily involve the intervention of another entity:
- Stop sharing personal data with Google for purposes where they lack a legal basis;
- For Google to stop processing personal data for these purposes;
- For the Danish Parliament to create a legal basis for the processing.
The municipalities have until 1 March to report their solution to the DPA and must ensure that their processing is compliant before 1 August.
Comment
This is the Danish DPA's fifth decision in the case relating to Helsingor municipality's processing of personal data in primary and lower secondary schools. Helsingor municipality, the controller, was found to be using Google Chromebooks and Workspace for Education in violation of several GDPR requirements, as detailed in the first decision of September 2021, the second decision of 14 July 2022, the third decision of 18 August 2022 and the fourth decision of 8 September 2022.
A representative from the Danish DPA discussed this case in a podcast episode of the show "Grumpy GDPR".
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Danish Data Protection Authority issues an injunction in the Chromebook case
Date: 30-01-2024
Decision Public authorities Order Reported breach of personal data security Children Data processor Risk assessment and impact analysis Basic principles Processing basis
In the case of the use of Google Workspace in primary schools, the Norwegian Data Protection Authority assesses that there is no authority to pass on personal data to Google for all the purposes that are passed on today. Therefore, the Danish Data Protection Authority is now giving an order to the municipalities to bring the processing in line with the rules and indicates various ways in which this can be done.
Journal number: 2023-431-0001
Summary
Since the summer, the Norwegian Data Protection Authority has reviewed the extensive material that KL has sent on behalf of 53 municipalities in the case of the use of Google Workspace in schools, and has made a decision on that basis, which is published today.
The material has now given an in-depth description of the central aspects of the schools' use of the service and the supplier's use of data. This was an initial prerequisite for the municipalities to start processing the information in Google Workspace, and the relevant analyzes should therefore have been in place before the tools were put into use. This lack of clarification and the incomplete analyzes have been assessed and sanctioned in the Data Protection Authority's previous decisions against the 53 municipalities.
The municipalities state in the material now submitted that there is a transfer of personal data that Google uses for its own purposes. The Danish Data Protection Authority has therefore assessed the legality of these disclosures and made a decision in this part of the case, as the clarification of this is a prerequisite for being able to process the information as a whole. At the same time, this clarification sets the framework for a solution where personal data about schoolchildren can be processed in future.
"Before using a tool, you as a data controller must get an overview of how personal data is processed in it, and you must be able to document it. That requirement applies to all organisations. But when it comes to public authorities - where we which citizens themselves cannot opt out of our information being processed - the Danish Data Protection Authority has a special expectation that the necessary analyzes are both carried out and documented," says Allan Frank, IT security specialist and lawyer at the Danish Data Protection Authority, and continues:
"Most IT standard products today have a very complex contractual basis, which not only contains many options for variations in the processing of personal data, but also has a relatively high frequency of changes. This makes it more difficult than necessary for data-responsible companies and authorities to live up to GDPR, because it is easy to lose track of what is happening with data. We at the Danish Data Protection Authority therefore call for contracts to be made more transparent - not just in relation to the processing structure, but also in relation to the consequences when conditions surrounding the delivery change."
Order to legalize disclosure
The conclusion of the Danish Data Protection Authority's decision is that there is authority to pass on the students' information for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
At the same time, however, the assessment is that the Folkeskole Act does not sufficiently clearly authorize the municipalities to pass on the students' information for the maintenance and improvement of the Google Workspace for Education service, ChromeOS and the Chrome browser, or for measuring the performance and development of new functions and services in ChromeOS and the Chrome browser.
Therefore, the Danish Data Protection Authority gives an order to the municipalities to bring the processing in line with the rules by ensuring that there is authorization for all the processing that takes place. This can happen, for example, by:
That the municipalities no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted. That Google itself refrains from processing the information for these purposes. That the Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.
The municipalities must comply with the order from 1 August 2024, but must indicate how they intend to comply by 1 March at the latest.
"Today's IT services often function in such a way that the transfer of personal data is built into the product, and that the use of the information is often a prerequisite for getting the full benefit of the products' functionality. However, this does not always happen with sufficient focus on the protection of the citizens whose information is used. But neither the functionality of the solutions you want to use, the supplier's market position, the standardized structure or the mere use of a standard product can justify not complying with the rules on data protection , which it has been decided from a political point of view that we must have in Europe," says Allan Frank.
Which parts of the decision are pending?
On the basis of the municipalities' feedback on 1 March 2024, the Danish Data Protection Authority will notify the municipalities of which further concrete matters - in addition to the changes that have already taken place and are described in the submitted material - must be dealt with before the injunction deadline of 1 August 2024. This partial decision depends of how the municipalities will comply with the mandate on the processing basis for the said disclosures, and therefore it is a step-by-step process.
Decision
The Norwegian Data Protection Authority hereby returns to the case where, on 14 July 2022, the Norwegian Data Protection Authority notified Helsingør Municipality of a ban on processing personal data using Google Chromebooks and Workspace for Education. The Danish Data Protection Authority maintained this ban by decision of 18 August 2022.
On the basis of a subsequent dialogue with Helsingør municipality, where the municipality identified a number of circumstances where the use of Google Chromebooks and Workspace for Education had either not been legal, or where the risk to the registered had not been sufficiently identified and reduced, the Danish Data Protection Authority suspended the above-mentioned ban by decision of 8 September 2022. The Danish Data Protection Authority simultaneously notified Helsingør municipality of four orders.
Subsequently, in the period up to 24 October 2022, the Danish Data Protection Authority also issued the same four orders to the following 52 other municipalities:
1
Albertslund Municipality
19
Horsens Municipality
37
Slagelse Municipality
2
Allerød Municipality
20
Hvidovre municipality
38
Solrød Municipality
3
Ballerup Municipality
21
Hørsholm Municipality
39
Sorø Municipality
4
Dragør Municipality
22
Ishøj Municipality
40
Svendborg Municipality
5
Egedal Municipality
23
Jammerbugt Municipality
41
Syddjur Municipality
6
Fanø Municipality
24
Langeland Municipality
42
Thisted Municipality
7
Favrskov Municipality
25
Læsø Municipality
43
Tønder Municipality
8
Fax Municipality
26
Mariagerfjord Municipality
44
tårnby municipality
9
Municipality of Fredericia
27
Middelfart Municipality
45
Vejen Municipality
10
Faaborg-Midtfyn Municipality
28
Nordfyn Municipality
46
Vejle municipality
11
Glostrup Municipality
29
Næstved Municipality
47
Vesthimmerland Municipality
12
Greve Municipality
30
Odder Municipality
48
Vordingborg municipality
13
Gribskov Municipality
31
Odense Municipality
49
Ærø Municipality
14
Haderslev Municipality
32
Odsherred Municipality
50
Aalborg municipality
15
Hedensted Municipality
33
Randers Municipality
51
Municipality of Aarhus
16
Herlev Municipality
34
Rebild Municipality
52
Brøndby Municipality
17
Hjørring Municipality
35
Samsø Municipality
18
Holbæk Municipality
36
Silkeborg Municipality
KL then notified the Data Protection Authority on 12 September 2023 that KL and KOMBIT represent Helsingør and the 52 other municipalities mentioned above in the further processing of the cases by the authority.
1. Decision
After a review of the material which KL has forwarded on behalf of the 53 municipalities at the latest on 30 June 2023, the Danish Data Protection Authority - given the scope and complexity of the case - finds a basis for initially making a decision with regard to the question of the municipalities' disclosure of personal data to Google Ltd.
In this connection, the Danish Data Protection Authority finds that there is no basis for overriding the municipalities' assessment that, as part of the municipalities' choice of teaching and learning resources in primary schools, it is necessary to process and pass on personal data to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) provision of and (ii) improvement of the security and reliability of the services in question, etc. ("the original purposes"), cf. the data protection regulation, article 6, subsection 1, letter e, cf. Article 6, subsection 3, and Section 2, subsection of the Folkeskoleoven. 1, and § 18, subsection 1. It includes i.a. processing of personal data for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
However, it is the Danish Data Protection Authority's assessment that the municipalities do not, within the framework of Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1, cf. the data protection regulation, article 6, subsection 1, letter e, may process and pass on personal data about school students to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) maintenance and improvement of the Google Workspace for Education service, Chrome OS and the Chrome browser, ( ii) measuring the performance of Chrome OS and Chrome Browser, and (iii) developing new features and services of Chrome OS and Chrome Browser (“the Derivative Purposes”).
Against this background, the Danish Data Protection Authority finds that there is a basis for issuing an order to the municipalities to bring the municipalities' processing of personal data in the form of passing on personal data to Google in accordance with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a, and Article 6, subsection 1, as well as being able to demonstrate this, cf. the regulation's article 5, subsection 2.
This can happen e.g. by:
that the municipalities cease to pass on personal data to Google for the purposes in question, which probably presupposes that Google develops a technical possibility for the data flows in question to be cut off, that Google refrains from processing information for these purposes, or that the Danish Parliament provides a sufficiently clear legal basis for the processing in question.
The Danish Data Protection Authority initially requests the municipalities to indicate how the municipalities intend to comply with the above-mentioned order. The Danish Data Protection Authority must request to receive this notification by 1 March 2024 at the latest.
The deadline for compliance with the injunction is 1 August 2024. The Danish Data Protection Authority must request to receive confirmation that the injunction has been complied with by the same date. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.
According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
In the period 8 September to 24 October 2022, the Data Protection Authority has notified 53 municipalities of the following orders regarding the municipalities' use of Google Chromebooks and Workspace for Education:
"The Danish Data Protection Authority gives [...] the Municipality an order to have the existing agreement with the data processor changed in such a way that the conditions mentioned in the Danish Authority's decisions of 14 July and 18 August 2022, in relation to Helsingør Municipality, as well as the material that […] Municipality has forwarded on […] 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the [contract text] that create uncertainty about the data processor's actions in addition to the rule in Article 28, subsection of the data protection regulation. 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation.
The Danish Data Protection Authority further announces […] Municipality an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack […] Municipality uses for the treatment.
The Danish Data Protection Authority further orders [...] the municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that there are – in addition to those for which the Article 36 procedure has now been requested – additional high , non-mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36.
Finally, the Danish Data Protection Authority [...] orders the Municipality to present a final time-bound plan for the legalization of any processing that has not been able to be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date date."
KL informed the Norwegian Data Protection Authority on 12 September 2023 that KL and KOMBIT represent the above-mentioned municipalities in the further processing of the cases by the authority and would therefore come up with a joint response on behalf of all affected municipalities.
KL then forwarded on 3 November 2022 documentation for compliance with the Danish Data Protection Authority's order to the 53 municipalities. On 4 November 2022, KL sent supplementary material to this.
On 4 November 2022, the Norwegian Data Protection Authority notified KL and the affected municipalities that the Norwegian Data Protection Authority's ban of 18 August 2022 was suspended until the case processing of the received material was completed. The Danish Data Protection Authority stated in this connection that the Danish Data Protection Authority expected to complete the case processing before the end of 2022.
In the subsequent period, KL became aware that, in KL's opinion, there was a need to elaborate and change parts of the material, so that the municipalities could comply with the Danish Data Protection Authority's orders to a greater extent. KL therefore requested on 2 December 2022 the Danish Data Protection Authority to wait for this additional material.
The Danish Data Protection Authority accepted KL's request and set a deadline of 23 January 2023 to forward this additional material.
On January 23, 2023, KL sent this additional material. On the basis of a meeting between the Data Protection Authority and KL, Aarhus Municipality and KOMBIT about the material, KL found that there was a need to elaborate on the submitted material. KL therefore requested on 23 March 2023 the Norwegian Data Protection Authority to wait for this elaboration.
KL stated on 16 June 2023, prompted by a reminder from the Data Protection Authority of the same date, that KL expected to send the detailed material before the end of June 2023.
On 30 June 2023, the Data Protection Authority received a combined response with 32 annexes from KL, which also stated that the collection of documents constituted the affected municipalities' documentation for compliance with the Data Protection Authority's order.
KL's response of 30 June 2023 with annex constitutes, together with the above, a complete presentation of the case. KL's response of 30 June 2023 and annexes 16 and 26 to this are attached as annexes to this decision.
3. General remarks
The Danish Data Protection Authority first and foremost acknowledges the great work that the municipalities as the data controllers have carried out with a view to complying with the Danish Data Protection Authority's orders. There is now an adequate description of which data is processed, by whom and in what role. The work of the municipalities has also led to changes in the services that the municipalities use and the contract terms under which the services are delivered.
However, the Danish Data Protection Authority emphasizes that this work should have been carried out before Google Chromebooks and Workspace for Education were put into use. The municipalities' processing of personal data prior to this work is therefore, as the Danish Data Protection Authority has previously decided, in breach of several provisions in the data protection regulation.
Where several data controllers use the same systems and carry out approximately the same processing of personal data, in the opinion of the Danish Data Protection Authority there is a significant synergy in making joint assessments of risk factors, possible impact analyzes and mitigating measures.
In addition, the Danish Data Protection Authority must encourage associations and bodies representing categories of data controllers to draw up a code of conduct in accordance with Article 40 of the Data Protection Regulation in order to specify the application of the Data Protection Regulation.
A code of conduct can provide correct and practical instructions on how to communicate
with one or more processing activities must arrange themselves to comply with the data protection rules. It can, for example, be by determining procedures to be followed for a particular treatment activity. A code of conduct will therefore be a useful tool to help comply with data protection rules for the authorities that have signed up to the code.
While joining and complying with a code of conduct makes it easier to comply with the data protection rules, it does not exempt the individual municipalities from the duties and tasks incumbent upon them as data controllers. This is particularly important in situations where the data controller chooses to deviate from the prerequisites in the common concepts and treatments, e.g. when using a system for other purposes.
3.1. About legal processing of personal data
The principle of legality in administration (the principle of legality) implies that a public authority's decisions and administration must otherwise be supported by law or another legal basis.
When it comes to the data protection rules, this principle implies that public authorities – in addition to ensuring that the authorities' own tasks are carried out in accordance with the data protection rules – must also ensure that the IT solutions that the authorities decide to use to support the authorities' tasks are within within the framework of the data protection legal regulations.
Public authorities must therefore ensure and take measures to ensure that the authorities do not design, develop or acquire and use solutions that do not comply with the data protection rules. It can, among other things, happen by the authorities setting relevant requirements in their procurement procedures and project models that ensure the procurement or development of solutions in accordance with the data protection rules. The extent of these requirements may, in the Data Protection Authority's view, vary, taking into account the nature, scope and purpose of the processing activity that the solution must support, as well as the risks for citizens that may be associated with use of the solution. In any case, these requirements must consist of more than just a single requirement for the supplier that the solution must comply with the data protection rules. The requirements can e.g. reflect the measures that the authority has deemed necessary to take on the basis of its risk assessment or impact analysis in order to ensure the legality of the solution.
Finally, the Danish Data Protection Authority notes that the functionality of the solutions that are to be used, or the market position of the supplier that is to be chosen, cannot justify a failure to comply with the data protection rules. A standardized structure of the solutions or the mere use of a standard product cannot also justify a failure to comply with the data protection rules.
4. Reason for the Data Protection Authority's decision
4.1. Mapping of data flows and distribution of roles between the municipalities and Google
4.1.1. Distribution of roles
An impact analysis regarding data protection must, cf. the data protection regulation, article 35, subsection 7, at least contain i.a. a systematic description of the planned treatment activities and the purposes of the treatment.
It is a basic prerequisite for assessing and documenting your compliance with the data protection rules that you have knowledge of and can describe which information you process, for which purpose(s) and in which role.
On the basis of the Danish Data Protection Authority's order, KL, in collaboration with Google, has mapped which roles the municipalities and Google respectively have in the municipalities' use of Google Chromebooks and Workspace for Education, as well as which personal data is processed, by whom and for which purpose(s).
Overall, the municipalities are the data controller for the processing of personal data when the municipalities use Google Chromebooks and Workspace for Education. KL has also stated that Google's role across the technology stack is as follows:
The technology stack
Data controller
Data processor
Service Data
Customer Personal Data
Service Data
Customer Personal Data
Chrome OS
Yes
Yes
No
No
Chrome browser
Yes
Yes
No
No
Chrome EDU Upgrade
Yes
No
No
Yes
Workspace for Education (incl. Chrome Sync)
Yes
No
No
Yes
KL has thus stated that Google is the data controller for any processing of personal data that takes place as part of the use of Chrome OS and the Chrome browser, and that Google is not a data processor for the municipalities in that connection.
Furthermore, KL has stated that Google is the data controller for the processing of Service Data in Chrome EDU Upgrade and Workspace for Education, and that Google's processing of Customer Data in these two products takes place as a data processor for the municipalities.
A description of the processing activities for which Google is the data controller appears in appendix 26 to KL's response (attached). The mapping also contains a detailed description of the specific information that is processed and of the specific purposes of the processing.
The Norwegian Data Protection Authority understands that Customer Data generally includes content data, e.g. documents that are handled in Workspace etc., while Service Data primarily includes derived diagnostic data about e.g. school students' use of the products.
4.1.2. Basis of agreement
The municipalities' use of Chromebooks and Workspace for Education is regulated by two agreements with Google. These are the Google Workspace for Education Terms of Service (dated September 26, 2023) and the Chrome Online Agreement (dated April 7, 2022).
The agreements include the products Workspace for Education[1] and Chrome EDU Upgrade[2], which can be seen from the above overview of the technology stack.
The agreement Google Workspace for Education Terms of Services also refers to e.g. to the Cloud Data Processing Addendum (dated September 26, 2023), which thus constitutes the data processing agreement with respect to the Workspace for Education product.
In addition, the Chrome Online Agreement refers to, among other things, to the Data Processing Amendment to Chrome Agreements (dated 16 February 2023), which constitutes the data processing agreement for the product Chrome EDU Upgrade.
In both sets of agreements, Customer Data and Customer Personal Data have specific meanings.
Service Data, which is processed as part of the use of Workspace for Education and Chrome EDU Upgrade, is defined in more detail in the Google Cloud Privacy Notice (dated 21 August 2023) and is not covered by the municipalities' agreement with Google, but is processed by Google as the data controller .
The municipalities' use of Chrome OS and the Chrome browser, see further below, is also not regulated by agreements between the municipalities and Google.
Instead, according to Google, the use of Chrome OS is governed by Google's General Terms of Service[3] and Privacy Policy[4]. The terms of service are not concluded with the municipalities, but with the individual end user, which in this case are school students (and their parents).
Correspondingly, the following appears from Appendix 26, p. 3 at the bottom:
"Today, Google acts as a data controller when providing ChromeOS and Chrome browser, for both Customer Data and Service Data. As part of providing Chrome services, Google processes personal identifiers relating to devices or end users of Chrome, which are only used for the purposes set forth in the Google Privacy Policy.”
On that basis - and on the basis of the division of roles between the municipalities and Google that KL has informed - the Danish Data Protection Authority assumes that the use of the Chrome browser is not regulated by an agreement between the municipalities and Google, but instead is regulated by Google's general terms of service and privacy policy, as is also the case for Chrome OS.
4.1.3. The purposes of processing personal data
In connection with its dialogue with Google, KL has found it necessary to clarify the basis of the agreement with Google with regard to the purposes for which Google processes the information. As part of the response of 30 June 2023, KL has forwarded a draft of the contract addendum, which clarifies e.g. for which purposes Google may process the information.
For Workspace for Education, Google will then process Customer Data as a data processor for the municipalities to provide the service and support (upon request from the municipalities). Google has also specified that Customer Data will not be processed for marketing purposes or to improve Google's products and services, including Workspace for Education.
Google is further committed to only process Service Data generated by the use of Workspace for Education as a data controller to improve and optimize the performance, reliability, core functionality, availability, data protection, security and efficiency of the IT infrastructure of (a) Google Workspace for Education and support therefor, as well as (b) Google Cloud, Google Cloud Marketplace and Google Workspace Marketplace services, provided that the municipalities use such services. Google will not process Service Data to improve or optimize other Google products or services.
For Chrome EDU Upgrade, Google will process Customer Personal Data to:
(a) to provide, secure, and monitor the Services and any TSS requested by Customer; (b) to support Customer's and its End Users' secure and compliant use of the Services; (c) as described in this Data Processing Amendment, including Sections 10 (Data Transfers) and 11 (Subprocessors); (d) as described in Section 7 (Confidentiality; Legal Process) of the Agreement, provided that any disclosure by Google or any Subprocessor with its address in the EEA complies with European Data Protection Law; and (e) as further specified via (i) Customer's compliant use of the Services (including the Admin Console and other Services functionality) and any TSS requested by Customer, and (ii) any other written instructions given by Customer and acknowledged by Google as constituting instructions under this Addendum”
KL has also stated that the Service Data that is processed as part of the Chrome EDU Upgrade is a subset of the Service Data that is processed as part of the Chrome browser.
Furthermore, KL has stated that Google is the data controller for the processing of all personal data, regardless of whether the information is characterized as Service Data or Customer Personal Data, as part of the use of Chrome OS and the Chrome browser.
The purposes of Google's processing of Service Data in Chrome EDU Upgrade, and all other personal data in Chrome OS and the Chrome browser are stated in Google's privacy policy[5].
In summary, KL has stated that Google processes personal data for which the company is independently data responsible, across the technology stack for the following purposes:
Favor
Original purposes
Secondary purposes
Workspace for Education
Provide cloud services that the municipalities request
Provide recommendations on optimizing use of the cloud services
Assist the municipalities
Protect the municipalities, Google's users, customers, the public and Google
Comply with legal obligations
Maintain and improve cloud services
Provide and improve other services requested by municipalities
Chrome OS
Provide Google services
Improve the security and reliability of services
Communicate with customers
Provide personalized services (Google Sync)[6]
Comply with legal obligations
Maintain and improve Google services
Measure performance
Develop new features and services
Chrome browser
Provide Google services
Improve the security and reliability of services
Communicate with customers
Provide personalized services (Google Sync)[7]
Comply with legal obligations
Maintain and improve Google services
Measure performance
Develop new features and services
Finally, KL has described in more detail the above purposes and how personal data is processed as part of these purposes. This appears from appendix 26 to KL's response (attached).
4.1.4. The Danish Data Protection Authority's assessment
After a review of KL's response, the Danish Data Protection Authority finds that the municipalities have described which personal data is processed as part of the municipalities' use of Chromebooks Workspace for Education, as well as which roles the municipalities and Google have in the processing of the information. The description includes the entire technology stack.
The Norwegian Data Protection Authority then considers the Norwegian Data Protection Authority's order to describe the data flows that take place and to describe which personal data is passed on to Google to have been complied with.
However, the Norwegian Data Protection Authority notes that the description of the data flows and the basis of the agreement that regulates the municipalities' use of Chromebooks and Workspace for Education is complex. In the opinion of the supervisory authority, this in itself entails a risk of non-compliance with the data protection rules. This is because even minor changes in the technology stack or the basis of the agreement can involve consequential changes that the municipalities can overlook.
The Danish Data Protection Authority therefore encourages the municipalities to engage in further dialogue with Google about simplifying, in particular, the basis of the agreement or ensuring that the municipalities possess or have access to the necessary technical and legal competences to ensure that the data protection rules are complied with.
4.2. Dissemination of personal data
4.2.1. The Data Protection Regulation
Personal data can be processed on the basis of one of several processing bases, which can be found in the data protection regulation, article 6, subsection 1. For public authorities, processing of personal data will most often take place because it is necessary to comply with a legal obligation, cf. Article 6, paragraph 1, letter c, or because the processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, cf. Article 6, subsection 1, letter e.
In both cases, the processing must have a so-called supplementary legal basis, which obligates or entitles the authority to carry out a specific authority task. It follows from the data protection regulation's article 6, subsection 3.
4.2.2. Requirements for the supplementary legal basis
Article 6 of the Data Protection Regulation, subsection 3, contains several requirements for the supplementary legal basis, which must therefore meet certain criteria.
Firstly, it is required according to Article 6, paragraph 3, 1st point, that the basis for the processing must appear from EU law or national law.
It appears from preamble consideration no. 45 that the data protection regulation does not imply that a specific law is required for each individual processing pursuant to Article 6, subsection 1, letter e. A law may be sufficient as a basis for several data processing activities. However, there is a requirement that processing according to the provision takes place on the basis of EU law or national law. Furthermore, it follows from preamble no. 41 to the data protection regulation that the legal basis in question does not necessarily require a law, but that the legal basis should be clear and precise, and the scope should be predictable for persons covered by the scope of the legal basis.
From the Ministry of Justice's report no. 1565/2017, p. 132f., the following appears about the regulation's article 6, subsection 1, letter e:
"In this connection, it must be assumed that Article 6, subsection 1, letter e, is directly applicable as a basis for processing, as long as the data controller performs a task in the interest of society or which falls under the exercise of public authority, which the data controller has been assigned. The use of Article 6, subsection 1, letter e, as a basis for processing, thus does not require national, implementing legislation on the actual processing of personal data in connection with the performance of tasks in the interest of society or as part of the exercise of public authority.
The use of Article 6, subsection 1, letter e, does not necessarily require that the task, which requires the processing of personal data, is expressly assigned to the authority in the legislation. In this connection, reference can be made to [The Danish Data Protection Authority's statement in the case with j.no. 2004-54-1394], where the inspection found it natural that the Ministry of Education, as the central authority in the area, solved a task regarding digital registration for and application for admission to education programs, even though there was no express legal authority that assigned the task to the ministry. The ministry could therefore use i.a. § 6 pieces. 1, no. 5, in the Personal Data Act on processing that is necessary for the performance of a task in the interest of society.”
In addition, the following appears from p. 160 of the report on the regulation's article 6, subsection 3:
"It also follows from the regulation's article 6, subsection 3, 2nd point, specifically regarding processing referred to in Article 6, subsection 1, letter e – i.e. for the purpose of carrying out a task in the interest of society or which falls under the exercise of public authority - that the processing must be "necessary for the performance of a task in the interest of society or which falls under the exercise of public authority". Here, too, it must be sufficient for the fulfillment of this requirement of necessity that it can be derived from the relevant national law with its preamble, on the condition that the processing is actually "necessary".
In Article 6, subsection 3, last indent, there is an additional requirement for the legislation that adapts the application of the data protection regulation. There is a requirement that the national law of the Member States must fulfill an objective in the interest of society and be proportionate to the legitimate aim pursued. The Data Protection Regulation thus establishes a requirement for proportionality and observance of the public interest in connection with national law and EU law, which adapts the application of the Data Protection Regulation.”
In connection with the Ministry of Justice's national evaluation of the data protection rules in April 2021, the Danish Data Protection Authority stated, among other things, the following in a contribution to the ministry:
"The provisions in the regulation's article 6, subsection 2 and 3, implies, firstly, that the processing – in order to be able to take place in accordance with 6, subsection 1, letter e – must appear from EU law or the national law of the Member States. This means that the application of Article 6, subsection 1, letter e, requires that the processing is provided for in EU law or national law, but not necessarily that there is national implementing legislation on the processing itself. […]
In other and the vast majority of cases, however, the special legislation will not contain specific requirements for the processing of personal data or otherwise prescribe specifically whether and which personal data must be processed. Processing of personal data will, however, typically be a prerequisite for the authority to be able to solve the tasks prescribed by legislation. This could, for example, be an authority's assessment of a citizen's right to social benefits according to the social legislation or legislation on the authority's tasks in the area of children and schools.
When processing according to the regulation's article 6, subsection 1, letter e, can be considered necessary, must in these cases be held up against the tasks and obligations that the authority has in accordance with the legislation that regulates its work. Similarly, in relation to the requirement of necessity, which follows from the regulation's article 5, subsection 1, letter c.
In this connection, it is important to emphasize that the data protection rules are not intended to stand in the way of or make it difficult for public authorities to carry out their tasks. The data protection rules, including the requirement of necessity, do not therefore imply that public authorities must, at all costs, organize their task performance in such a way that as little personal data as possible is processed, if this would prevent the authority from fulfilling its tasks in the manner intended by the legislation.
The data protection legal requirement of necessity, on the other hand, is flexible and gives the data controller – in this context public authorities – the opportunity to assess what is relevant and factual in the individual case, i.e. necessary for the authority to carry out its tasks in the manner intended by the legislation. In this connection, it is also important to keep in mind that the authority which is required by law to carry out a task, in the nature of the matter, has the best prerequisites for assessing what is factual and relevant to solve the task, as it it is precisely the authority in question that has the most knowledge of how any sector-specific legislation is implemented in practice.
It will thus be within the framework of the data protection regulation, Article 6, subsection 1, letter e, if the authority can point to a legal basis as the reason for the processing, and if the processing is not – based on a general consideration – unnecessarily intrusive for the data subject, e.g. because the processing is solely a practical way for the authority to fulfill its purpose, which does not take into account the data subject.
In other words, public authorities have quite a broad framework for assessing which processing of information is necessary to carry out the authority's tasks in accordance with the legislation.”
Finally, the European Court of Justice states the following in its judgment of 24 February 2022 in case C-175/20[8]:
"In this regard, it is nevertheless noted that the legislation which forms the basis for the processing, in order to meet the requirement of proportionality, as Article 5, paragraph 1, letter c), [...] is an expression of [...], must lay down clear and precise rules that regulate the scope and application of the measure in question, and that set minimum requirements, so that the persons whose personal data are affected have adequate safeguards that enable this information to be effectively protected against the risk of misuse. This legislation must be legally binding in national law and, in particular, indicate in what circumstances and under what conditions a measure on the processing of such information can be adopted, thereby ensuring that the intervention is limited to what is strictly necessary”
The requirement for the clarity of the legal basis in question thus generally depends on how intrusive the processing of personal data that takes place in the solution will be for the citizen. If it is a completely harmless treatment, the requirements will be less than if it is an intrusive treatment, where greater demands are placed on the clarity of the legal basis.
4.2.3. The Public Schools Act
The municipalities' authority tasks in the school area appear in the Folkeskole Act[9]. Of the act's section 1, subsection 1, and § 2, subsection 1, the following appears:
"§ 1. The folk school, in cooperation with the parents, must give students knowledge and skills that: prepare them for further education and make them want to learn more, make them familiar with Danish culture and history, give them an understanding of other countries and cultures, contributes to their understanding of man's interaction with nature and promotes the individual student's versatile development. […]
"§ 2. The municipal board is responsible for the primary school, cf. however § 20, subsection 3, § 44 and § 45, subsection 2, 2nd point The municipal board is responsible for ensuring that all children in the municipality have the right to free education in primary school.”
In addition, the following follows from section 5, subsection of the Act. 1 and 2:
§ 5. The content of the teaching is chosen and organized so that it gives the students the opportunity for professional immersion, overview and experience of contexts. The teaching must give students the opportunity to acquire the cognitive and working methods of the individual subjects. In interaction with this, the students must have the opportunity to use and develop the acquired knowledge and skills through teaching in cross-cutting subjects and issues.
PCS. 2. Teaching in grades 1-9. class is given within 3 subject blocks and includes for all students: […]”
From the preparations for the provision (Folketingstidende 1992-93, appendix A, bill of 22 April 1993, sp. 8939) the following appears:
"For all the subjects in the three groups, you must be aware that computing must be integrated, as described in the teaching guide for the compulsory subject computer computing under the current law and in the supplements to the subjects' curricula that are and have been sent out by the ministry In recent years. Integration of computers provides an opportunity for the development of the subject's subjects, concepts and methods, and examples of this will be included in future teaching guides."
In this context, the following appears from the preparatory work for section 7 of the act (a. st., sp. 8943), which lays down compulsory subjects that must be included in teaching in primary school:
"Computer science is proposed to be abolished as a compulsory subject, as it is assumed that the content is integrated into the compulsory subjects at the youngest grade levels. In this way, all students gain a basic understanding of the concepts and methods of information technology and a knowledge of where computers can be used to advantage in the subjects. This knowledge must form the basis for the general integration of computers in the subjects, cf. here also the comments to section 5 of the bill."
This is also apparent from Section 18, subsection of the Folkeskole Act. 1, which i.a. deals with the choice of teaching aids:
"The organization of the teaching, including the choice of teaching and working methods, methods, teaching materials and material selection, must in all subjects meet the primary school's purpose, goals for subjects and subjects and be varied so that it corresponds to the needs and prerequisites of the individual student."
Furthermore, section 19, subsection of the Act states 1, the following:
"The necessary teaching aids must be made available free of charge to the students. However, this does not apply to instruments and equipment that are used for teaching during free time according to § 3, subsection 6, and which the students take home for their own use.”
From the preparations for the provision (Folketingstidende 1992-93, appendix A, bill of 22 April 1993, sp. 8956) the following appears:
"As a result of the fact that computing has moved from being a compulsory subject to being an integral part of the subject's content, it is assumed that the ongoing development of equipping schools with information technology teaching aids and giving teachers the necessary educational background continues, so that the intentions whether the full integration of IT can be realized within the next few years."
The introduction of computer science as a compulsory subject took place by Act No. 435 of 13 June 1990. To support the introduction of the subject as a compulsory subject, the Ministry of Education prepared - as stipulated in the preparations for the provision (Folketingstidende 1989-90, appendix A, bill of 14 March 1990, sp. 5194) – an indicative curriculum and teaching guide. The curriculum and the teaching guide state the following about the purpose of the IT subject:
"Purpose of the compulsory subject computing
- students must be familiar with using hardware and software.
– the students must acquire knowledge of how the computer is used in communication and problem-solving processes.
– students must acquire knowledge of how the use of computers affects communication and problem-solving processes.
Notes on the purpose
People have always communicated with each other using sounds, images, writing, etc. In many of these communication processes they have used tools, e.g. pencil, brush, typewriter and telephone. Such tools will always have an impact on how people communicate with each other. The same is true when we solve problems.
The use of computers is now so widespread that one can rightly claim that it is a tool that everyone will come to use. Many other tools focus largely on physical processes. This is not the case with computers, as this tool predominantly supports processes of an intellectual nature.
It is therefore extremely important that people are able to appropriately involve computers in communication and problem-solving processes. At the same time, this will be an essential prerequisite for being able to behave in a society where democratic decision-making processes and ways of dealing are a matter of course. There are therefore certain prerequisites that all citizens must possess, and which must therefore be part of general education in line with, for example, being able to read, write and calculate.
The purpose of the teaching in computing includes 3 aspects:
– the operating aspect, which relates to general operating skills and knowledge of the general principles of how the computer works. The teaching must result in the students becoming familiar with working at a computer, and that through this they can build up appropriate images of how hardware and software work and interact. This is specified in the teaching courses.
– the conceptual aspect, which relates to knowledge of the concepts and methods used when the computer is used for communication and problem solving. The teaching must result in the students becoming especially aware of the common features in the form of concepts and methods found in virtually all computer applications. Such attention will help to create structure in the students' computer knowledge.
– the importance aspect, which relates to knowledge of the importance for the process that the computer has when it is used in connection with people communicating or solving problems. The teaching must result in the students being aware of whether the use of computers in these processes changes conditions and results when they later use the computer.
It is important to emphasize that the main aim of the teaching is to ensure that the students have opportunities to act in situations of use. Students only have such options if the use of computers is not dominated by technical problems or by the students' lack of knowledge of basic computer concepts and methods (cf. section "Characterization of computer education"). The teaching must therefore contribute to the students being able to use computers in an appropriate way.
It must be further emphasized that it is important that students gain knowledge that the computer can be used to solve many different tasks through the user's choice of different programs. This means that the computer is one of the most flexible tools at our disposal, and that we can often be forced to choose whether and, if so, how we want to use the computer. In many areas, starting to use computers will mean major changes compared to the use of previous technology: completely new possibilities can be opened up, but new limitations can also appear compared to what was previously possible.”
4.2.4. The digitization strategy 2011 to 2015
In its analysis and assessment, KL has repeatedly referred to the joint public digitization strategy 2011 to 2015, which was drawn up in August 2011 by the then government, the municipalities and the regions.[10]
The use and development of digital learning tools was a focus area in this strategy, where it is emphasized in several places that the primary school must keep up with the times. KL has below referred to appendix 3.1.a to the strategy, of which i.a. the following appears:
"In connection with the financial injection, there is a need for a discussion with the industry for digital teaching aids about how they can be committed to working for a development that supports some of the visions described above. Among other things, it can be discussed how it can be promoted that private actors contribute to translating and adapting tested foreign digital teaching aids to Danish conditions with a view to sales."
KL has also referred to appendix 3.4 to the strategy, of which i.a. the following appears:
"A prerequisite for the investment in IT to be successful is that IT is integrated into the development of new teaching and learning methods, so that traditional teaching is not simply continued with the power on". There is therefore, through experiments and research, a need to generally raise the level of knowledge about how to most effectively increase students' learning academically and socially with the help of IT tools, including knowledge about how teachers can organize and support teaching using digital teaching aids and digitally based learning courses.”
Finally, KL has referred to the agreement between the government and KL on the municipalities' finances for 2012. This includes, among other things, following:
"Strengthened use of IT in the primary school
Digital learning processes are part of many primary schools today, but a more fundamental change is needed. It is therefore part of the joint public digitization strategy that in the coming years the focus is on a strengthened use of IT, so that it becomes an integrated part of teaching in primary schools.
It must contribute to strengthening the students' professionalism and equip them better for future educational and job opportunities, support a more targeted organization of teaching and enable better resource utilization in the primary school.
The government and KL have therefore agreed on an ambitious effort, where the government has made reservations
DKK 500 million from the Foundation for Welfare Technology to over the coming years to:
Contribute to developing the market for digital teaching aids, including stimulating a large range of quality products. Support effective distribution channels that ensure easy and clear access to digital teaching aids, including providing access to digital learning objectives. Contribute to the dissemination of experiences from experimental and research projects, including providing limited support to demonstration schools, so that the development of IT-based forms of learning is focused on areas and subjects where the effect is greatest.
The government and KL agree that the funds will be disbursed according to the principles described in appendix 2. Any contributions to the purchase of learning materials are co-financed by the municipalities, at least equivalent to the state share.
In order to enable the transition in the area, it is included in the agreement that the municipalities will, within the current investment framework, ensure that all pupils have access to the necessary IT infrastructure, including in the form of stable and secure wireless networks with sufficient capacity, secure storage, power supply, etc.”
4.2.5. The Danish Data Protection Authority's assessment
In the Data Protection Authority's view, public authorities, as stipulated in the data protection regulation, the preamble considerations thereto, as well as the Ministry of Justice's report no. 1565/2017, have broad access to process personal data when necessary for the performance of their official duties.
The Danish Data Protection Authority recognizes that the above-mentioned "necessity requirement" is flexible and gives public authorities a wide margin to assess what is relevant and factual in the individual case, i.e. necessary for the authority to carry out its tasks in the manner intended by the legislation.
The question then is to what extent the municipalities can extend this flexibility to include the use of teaching and learning resources, which through their structure and delivery model imply that the municipalities pass on personal data to another independent data controller, the supplier of the learning resources – here Google – for use by (i) delivery and (ii) improvement of the learning resources and (iii) development of new features and services.
Initially, the Danish Data Protection Authority notes that KL has stated that the assessment of whether the municipalities have the right to pass on personal data to Google must be carried out in two stages. Firstly, it is assessed whether the municipalities have the right to pass on personal data to Google for use in providing the service. Next, it is assessed whether the municipalities have ensured that Google can legally receive and process the personal data for other purposes, including the development of new functions and services, in accordance with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a.
The Danish Data Protection Authority is of the opinion that the assessment of whether the municipalities are authorized to pass on personal data to Google must be carried out in the light of all the purposes for which the data is to be processed. The municipalities must therefore assess whether there is authority to pass on personal data for use in the provision of the service and for other purposes, including the development of new functions and services. It includes all the purposes for which the municipalities are aware at the time of disclosure that the information will be processed.
The Norwegian Data Protection Authority refers in particular to the Norwegian Data Protection Authority's decision vis-à-vis Helsingør municipality of 18 August 2022. This includes, among other things, following:
"The information cannot therefore legally be passed on to other data controllers for use for their purposes, when it is a question of purposes that are not stipulated in the Folkeskole Act. This also includes the processing of personal data that may occur when students use the equipment and software.
It is the opinion of the Danish Data Protection Authority that the processing of personal data, which is provided for in the rules of the Folkeskole Act on compulsory education, and thus can take place in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter e, does not include that the information may be disclosed to other independent data controllers, including for use for purposes such as further development of technology suppliers' applications, etc. The Danish Data Protection Authority is of the opinion that the disclosure of personal data by public authorities to private data controllers generally requires a separate authorization when it is a question of purposes that lie outside the official tasks that the public authority is required to carry out.
The municipalities cannot therefore first assess whether there is authority to pass on personal data for certain purposes (delivery of the service) and then assume that the other purposes (development of new products, etc.), for which the personal data is also processed, must be assessed as Google's own further processing of the personal data for other purposes according to the Data Protection Regulation, Article 6, subsection 4, and subsection 1.
In this connection, the Danish Data Protection Authority attaches particular importance to the fact that this is processing that is determined in the basis of the agreement and required for the execution of the processing, and the situation cannot therefore be equated with the situation where a third party, after a disclosure, as an independent data controller subsequently chooses to use personal data for new own purposes.
KL has generally stated that it is stipulated in the Primary Schools Act that computers and digital learning aids must be fully integrated into teaching, and that the joint public digitization strategy for 2011 to 2015 focuses on working together with the industry for digital teaching aids for greater integration of digital learning aids in teaching, including the development of new teaching and learning aids.
KL has stated in detail that when using digital tools it is necessary to use technical data to continuously develop and improve the tools. The municipalities would over time get out-of-date products if the suppliers did not continuously improve and develop the tools. The development of digital teaching aids has taken place continuously, as required by the Primary Schools Act, the joint public digitization strategy 2011 to 2015 in the primary school area and the financial agreement. In KL's opinion, the teaching in the primary school will not meet the requirement in the Primary Schools Act for full integration of computers or digital teaching aids in teaching, if these teaching aids are not continuously matured through development, updating and improvement.
Finally, KL has stated that it appears from the joint public digitization strategy 2011 to 2015 that "the purpose of the digital learning processes is that they should strengthen the students' professionalism and prepare them better for the future."[11] In KL's view, this will not be possible to prepare students for the future with yesterday's digital learning tools. In this connection, it is not unexpected for the municipalities that the products they purchase improve and develop. It is also a wish for the municipalities that the products keep up with the times.
As stated in the Danish Data Protection Authority's decision of 14 July 2022 vis-à-vis Helsingør Municipality, the municipalities, as part of their responsibility for the primary school, have the right and duty to organize the teaching so that it meets the purpose of the primary school and the objectives for the individual subjects. It includes i.a. choice of teaching and working methods, teaching materials, etc. This follows from Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1.
In the Danish Data Protection Authority's view, these provisions also entail some access to processing personal data when necessary as part of the municipalities' choice of teaching and learning resources.
The majority of the information that Google receives and processes for its own purposes as part of the municipalities' use of Google Chromebooks and Workspace for Education is metadata about the individual student's use of the tools. It includes i.a. information about the computer's settings, information about the use of the tools, the applications, the Chrome browser, etc.
Google has informed KL that the purpose of processing this information can generally be divided into (i) original purposes and (ii) derived purposes. According to Google, the original purposes are inextricably linked to Google's provision of the tools and services in question to the municipalities. All personal data in question is received and processed initially for this purpose. In addition, the derived purposes enable Google to deliver value to customers and end users with respect to their use of the tools and services in question and otherwise fulfill Google's obligation as the data controller.
As far as the derived purposes are concerned, Google has stated that it i.a. includes (i) maintaining and improving the Google Workspace for Education service, Chrome OS and the Chrome browser, (ii) measuring the performance of Chrome OS and the Chrome browser, and (iii) developing new features and services in Chrome OS and The Chrome browser.
Google has also explained how the company processes the information for these derived purposes:
"When processing for these purposes, Google engineers do not use (and have no interest in using) personal data about specific end users or administrators at an individual level. Google has no interest in (for example) understanding whether and how a specific user uses a specific tool in one of its services, but Google does have an interest in understanding whether and how Google's users in general, on an overall level, use that tool . This means that Google's staff do not access or use any specific identifiers […] relating to any end user when processing for these purposes.
For example, in the context of ChromeOS, Google has no interest in processing an end user's specific device ID or serial number in order to "measure performance", but Google has an interest in processing large datasets of numbers of managed devices per country, regions , licenses, feature usage and failure rates etc keyed to a pseudonymous ID to understand the revenue distributions and generate insights of areas where Google needs to improve and – as such – “measure performance”.”
The Danish Data Protection Authority assumes that the municipalities, as part of their use of Chromebooks and Google Workspace for Education, process and pass on personal data to Google, and that this data is only processed for the original purposes and the derived purposes stated by KL.
Furthermore, the Danish Data Protection Authority assumes that the information with regard to the derived purposes is only processed for the development and improvement of services that the municipalities have purchased, and that Google does not process this information - or other information such as content data - for marketing purposes.
On the basis of the above-mentioned amendments to the Primary School Act, the Danish Data Protection Authority finds that it must be considered to have been the intention of the legislator that computers should form an integral part of the primary school. This has particularly come to the fore with the introduction of IT as a compulsory subject, where students had to gain knowledge of how IT could be used in communication and problem-solving processes, and how the use of IT affects such processes. Since then, the integration of computing has been expanded, as the compulsory subject was abolished, and computing became an integrated part of all primary school subjects.
The Norwegian Data Protection Authority also recognizes that over a number of years there has been a development in how IT systems and services are delivered. Since the 1990s, there have been significant changes in both architecture and functionality as well as the delivery model. Today, it is much more the norm for the suppliers of IT systems and services to collect and measure information about the use of the systems. This is done with a view to utilizing the full functionality of the solutions as well as continuously improving what is delivered and is to a large extent facilitated by the spread of the Internet and the increasing amount of computing power that is available.
The Danish Data Protection Authority notes, however, that this development has not necessarily taken place with the necessary focus on the data protection rules and consideration for the individual citizen. Although in Denmark, since the introduction of the Personal Data Act in 2000, there have been almost identical requirements for the legal processing of personal data, the data controllers have not made the necessary demands on their suppliers of IT systems and services, which ensured that the development in how IT services is delivered, took place within the framework of the data protection rules.
Overall, the Danish Data Protection Authority finds that there is no basis for overriding the municipalities' assessment that, as part of the municipalities' choice of teaching and learning materials in primary schools, it is necessary to process and pass on personal data to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) provision of and (ii) improvement of the security and reliability of the services in question, etc. ("the original purposes"), cf. the data protection regulation, article 6, subsection 1, letter e, cf. Article 6, subsection 3, and Section 2, subsection of the Folkeskoleoven. 1, and § 18, subsection 1. It includes i.a. processing of personal data for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
In this respect, the Danish Data Protection Authority has particularly emphasized that the purposes in question are inextricably linked with Google's delivery of Google Chromebooks and Workspace for Education to the municipalities, which must also be seen in the light of technological development and the development of how IT services are delivered Today.
The Danish Data Protection Authority also acknowledges that further development of the teaching and learning resources that the municipalities have decided to use in primary schools is necessary to ensure that the learning resources reflect the current times, so that students can learn to deal with the issues and challenges of today and the future with up-to-date and modern tools.
However, it is the Danish Data Protection Authority's assessment that the municipalities do not, within the framework of Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1, cf. the data protection regulation, article 6, subsection 1, letter e, may process and pass on personal data about school students to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) maintaining and improving the Google Workspace for Education service, Chrome OS and the Chrome browser, ( ii) measuring the performance of Chrome OS and the Chrome browser, and (iii) developing new features and services in Chrome OS and the Chrome browser (“the Derivative Purposes”).
The Norwegian Data Protection Authority places particular emphasis on the fact that these derived purposes do not only cover the development of the specific teaching and learning resources that the municipalities purchase, but also the general development of Google's products, e.g. Chrome OS and the Chrome browser. These products are not supplied exclusively to the municipalities, but are generally offered on the market, and further development thus benefits the market position of these products and the supplier in the broadest sense. Furthermore, the Danish Data Protection Authority has emphasized that this development takes place on the basis of personal data about school students, which is collected as part of their use of the learning resources that the school students are obliged to use, regardless of the fact that this personal data is aggregated into general patterns of use.
Although it can be said that this is a less intrusive processing of personal data, as the information is pseudonymised and aggregated, the requirements for the necessary legal basis are therefore less, and regardless of the flexibility that, in the opinion of the Danish Data Protection Authority, is found in Article 6, paragraph 1 of the Data Protection Regulation. 1, letter e, and the "necessity requirement" that appears in the provision, in the opinion of the Data Protection Authority, it does not appear that the necessary basis for the municipalities' disclosure of information for the purposes in question can be found in the relevant provisions of the Folkeskole Act.
Thus, it does not appear to be clear either from the wording of the primary school or the preparatory work that it is a necessary part of or a prerequisite for the municipalities' task resolution in accordance with the Primary Schools Act that the municipalities pass on personal data about school pupils to the supplier of teaching and learning materials for the purpose of the supplier's general further development of its IT products using this information. It follows neither from a natural understanding of the law's provisions on how computers were originally to be integrated in the primary school – and then in the individual subjects – nor from the curriculum and teaching guidance on the computer subject and its purpose.
Thus, it does not appear that it has been the intention of the Danish Parliament that the general further development of the teaching and learning resources that the municipalities decide must be used in primary schools must be able to take place by passing on personal data about school pupils who use the teaching and learning resources in question learning aids, to third parties, including the supplier thereof. Furthermore, it does not appear in any way that the Folketing has generally anticipated the technological development that has taken place since the adoption of the provisions in question in the Folkeskole Act in 1993.
It cannot lead to a different result that, in addition to the Folkeskole Act and its preparations, the KL has referred to the joint public digitization strategy 2011 to 2015 and the financial agreement between the municipalities and the government from 2012. None of these can be considered to be an expression of the legislator's intention to , which tasks and obligations the municipalities have according to the primary school, and how these must be carried out.
Finally, the Danish Data Protection Authority notes that the considerations mentioned do not appear to be an isolated problem in relation to the Folkeskole Act. The Danish Data Protection Authority therefore calls on the legislature to take a clear position going forward on the extent to which personal data about citizens as part of the social contract can or must be passed on in cases such as the one in question, including particularly in public-private collaborations.
The Danish Data Protection Authority therefore finds grounds to notify the municipalities of an order to bring the municipalities' processing of personal data in the form of passing on personal data to Google in accordance with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a, and Article 6, subsection 1, as well as being able to demonstrate this, cf. the regulation's article 5, subsection 2.
This can happen e.g. by:
that the municipalities cease to pass on personal data to Google for the purposes in question, which probably presupposes that Google develops a technical option for the relevant data flows to be cut off, that Google refrains from processing information for these purposes, or that the Danish Parliament provides a sufficiently clear legal basis for the processing in question.
The Danish Data Protection Authority initially requests the municipalities to indicate how the municipalities intend to comply with the above-mentioned order. The Danish Data Protection Authority must request to receive this notification by 1 March 2024 at the latest.
The deadline for compliance with the order in general is 1 August 2024. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.
According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.
5. Concluding remarks
Based on the nature of the case, the Data Protection Authority has decided to inform the Danish Parliament's Legal Committee and the Committee for Digitization and IT, as well as the Ministry of Justice and the Ministry of Children and Education about the case.
As far as the other questions in the case are concerned, the Danish Data Protection Authority notes that the Danish Data Protection Authority continues to process these and expects to continue processing in parallel with the municipalities' compliance with the above-mentioned order.
[1] C-175/20, Valsts eizumenus dienests, paragraph 83.
[2] Legislative Decree No. 1086 of 15 August 2023 on the primary school.
[3] The digitalization strategy 2011 to 2015 with annexes can be accessed here: https://digst.dk/strategier/den-faellesoffentlige-digitaliseringsstrategi/tidligere-strategier/digitaliseringsstrategien-2011-til-2015/
[4] The digitalization strategy 2011 to 2015, Focus area 3 – Folkeskolen must challenge the digital generation, p. 22.
[5] Google has stated that the provision of personalized services "is a purpose under the Google Privacy Policy that applies to processing via Chrome Sync, except when the customer uses that service as part of Workspace for Education (in which case, the Google Privacy Policy, including this purpose, will not apply to that processing, and the Google Cloud Privacy Notice will apply instead). As we understand that all of the relevant Danish municipalities will use Chrome Sync as part of Workspace for Education, this processing purpose will not be applicable to their end users.”
[6] See note 6.
[7] See the definition of Services in s. 15.19 in the Google Workspace for Education Terms of Service
[8] See the definition of Chrome Services in s. 15 of the Chrome Online Agreement.
[9] Google Terms of Service (dated January 5, 2022): https://policies.google.com/terms
[10] Google Privacy Policy (dated October 4, 2023): https://policies.google.com/privacy
[11] Google Privacy Policy (dated October 4, 2023): https://policies.google.com/privacy
The Norwegian Data Protection Authority
Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk
About us
About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement
Shortcuts
Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme
follow us
The Norwegian Data Protection Authority on LinkedIn
New decision
The Danish Data Protection Authority issues an injunction in the Chromebook case
Date: 30-01-2024
Decision Public authorities Order Reported breach of personal data security Children Data processor Risk assessment and impact analysis Basic principles Processing basis
In the case of the use of Google Workspace in primary schools, the Norwegian Data Protection Authority assesses that there is no authority to pass on personal data to Google for all the purposes that are passed on today. Therefore, the Danish Data Protection Authority is now giving an order to the municipalities to bring the processing in line with the rules and indicates various ways in which this can be done.
Journal number: 2023-431-0001
Summary
Since the summer, the Norwegian Data Protection Authority has reviewed the extensive material that KL has sent on behalf of 53 municipalities in the case of the use of Google Workspace in schools, and has made a decision on that basis, which is published today.
The material has now given an in-depth description of the central aspects of the schools' use of the service and the supplier's use of data. This was an initial prerequisite for the municipalities to start processing the information in Google Workspace, and the relevant analyzes should therefore have been in place before the tools were put into use. This lack of clarification and the incomplete analyzes have been assessed and sanctioned in the Data Protection Authority's previous decisions against the 53 municipalities.
The municipalities state in the material now submitted that there is a transfer of personal data that Google uses for its own purposes. The Danish Data Protection Authority has therefore assessed the legality of these disclosures and made a decision in this part of the case, as the clarification of this is a prerequisite for being able to process the information as a whole. At the same time, this clarification sets the framework for a solution where personal data about schoolchildren can be processed in future.
"Before using a tool, you as a data controller must get an overview of how personal data is processed in it, and you must be able to document it. That requirement applies to all organisations. But when it comes to public authorities - where we which citizens themselves cannot opt out of our information being processed - the Danish Data Protection Authority has a special expectation that the necessary analyzes are both carried out and documented," says Allan Frank, IT security specialist and lawyer at the Danish Data Protection Authority, and continues:
"Most IT standard products today have a very complex contractual basis, which not only contains many options for variations in the processing of personal data, but also has a relatively high frequency of changes. This makes it more difficult than necessary for data-responsible companies and authorities to live up to GDPR, because it is easy to lose track of what is happening with data. We at the Danish Data Protection Authority therefore call for contracts to be made more transparent - not just in relation to the processing structure, but also in relation to the consequences when conditions surrounding the delivery change."
Order to legalize disclosure
The conclusion of the Danish Data Protection Authority's decision is that there is authority to pass on the students' information for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
At the same time, however, the assessment is that the Folkeskole Act does not sufficiently clearly authorize the municipalities to pass on the students' information for the maintenance and improvement of the Google Workspace for Education service, ChromeOS and the Chrome browser, or for measuring the performance and development of new functions and services in ChromeOS and the Chrome browser.
Therefore, the Danish Data Protection Authority gives an order to the municipalities to bring the processing in line with the rules by ensuring that there is authorization for all the processing that takes place. This can happen, for example, by:
That the municipalities no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted. That Google itself refrains from processing the information for these purposes. That the Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.
The municipalities must comply with the order from 1 August 2024, but must indicate how they intend to comply by 1 March at the latest.
"Today's IT services often function in such a way that the transfer of personal data is built into the product, and that the use of the information is often a prerequisite for getting the full benefit of the products' functionality. However, this does not always happen with sufficient focus on the protection of the citizens whose information is used. But neither the functionality of the solutions you want to use, the supplier's market position, the standardized structure or the mere use of a standard product can justify not complying with the rules on data protection , which it has been decided from a political point of view that we must have in Europe," says Allan Frank.
Which parts of the decision are pending?
On the basis of the municipalities' feedback on 1 March 2024, the Danish Data Protection Authority will notify the municipalities of which further concrete matters - in addition to the changes that have already taken place and are described in the submitted material - must be dealt with before the injunction deadline of 1 August 2024. This partial decision depends of how the municipalities will comply with the mandate on the processing basis for the said disclosures, and therefore it is a step-by-step process.
Decision
The Norwegian Data Protection Authority hereby returns to the case where, on 14 July 2022, the Norwegian Data Protection Authority notified Helsingør Municipality of a ban on processing personal data using Google Chromebooks and Workspace for Education. The Danish Data Protection Authority maintained this ban by decision of 18 August 2022.
On the basis of a subsequent dialogue with Helsingør municipality, where the municipality identified a number of circumstances where the use of Google Chromebooks and Workspace for Education had either not been legal, or where the risk to the registered had not been sufficiently identified and reduced, the Danish Data Protection Authority suspended the above-mentioned ban by decision of 8 September 2022. The Danish Data Protection Authority simultaneously notified Helsingør municipality of four orders.
Subsequently, in the period up to 24 October 2022, the Danish Data Protection Authority also issued the same four orders to the following 52 other municipalities:
1
Albertslund Municipality
19
Horsens Municipality
37
Slagelse Municipality
2
Allerød Municipality
20
Hvidovre municipality
38
Solrød Municipality
3
Ballerup Municipality
21
Hørsholm Municipality
39
Sorø Municipality
4
Dragør Municipality
22
Ishøj Municipality
40
Svendborg Municipality
5
Egedal Municipality
23
Jammerbugt Municipality
41
Syddjur Municipality
6
Fanø Municipality
24
Langeland Municipality
42
Thisted Municipality
7
Favrskov Municipality
25
Læsø Municipality
43
Tønder Municipality
8
Fax Municipality
26
Mariagerfjord Municipality
44
tårnby municipality
9
Municipality of Fredericia
27
Middelfart Municipality
45
Vejen Municipality
10
Faaborg-Midtfyn Municipality
28
Nordfyn Municipality
46
Vejle municipality
11
Glostrup Municipality
29
Næstved Municipality
47
Vesthimmerland Municipality
12
Greve Municipality
30
Odder Municipality
48
Vordingborg municipality
13
Gribskov Municipality
31
Odense Municipality
49
Ærø Municipality
14
Haderslev Municipality
32
Odsherred Municipality
50
Aalborg municipality
15
Hedensted Municipality
33
Randers Municipality
51
Municipality of Aarhus
16
Herlev Municipality
34
Rebild Municipality
52
Brøndby Municipality
17
Hjørring Municipality
35
Samsø Municipality
18
Holbæk Municipality
36
Silkeborg Municipality
KL then notified the Data Protection Authority on 12 September 2023 that KL and KOMBIT represent Helsingør and the 52 other municipalities mentioned above in the further processing of the cases by the authority.
1. Decision
After a review of the material which KL has forwarded on behalf of the 53 municipalities at the latest on 30 June 2023, the Danish Data Protection Authority - given the scope and complexity of the case - finds a basis for initially making a decision with regard to the question of the municipalities' disclosure of personal data to Google Ltd.
In this connection, the Danish Data Protection Authority finds that there is no basis for overriding the municipalities' assessment that, as part of the municipalities' choice of teaching and learning resources in primary schools, it is necessary to process and pass on personal data to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) provision of and (ii) improvement of the security and reliability of the services in question, etc. ("the original purposes"), cf. the data protection regulation, article 6, subsection 1, letter e, cf. Article 6, subsection 3, and Section 2, subsection of the Folkeskoleoven. 1, and § 18, subsection 1. It includes i.a. processing of personal data for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
However, it is the Danish Data Protection Authority's assessment that the municipalities do not, within the framework of Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1, cf. the data protection regulation, article 6, subsection 1, letter e, may process and pass on personal data about school students to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) maintenance and improvement of the Google Workspace for Education service, Chrome OS and the Chrome browser, ( ii) measuring the performance of Chrome OS and Chrome Browser, and (iii) developing new features and services of Chrome OS and Chrome Browser (“the Derivative Purposes”).
Against this background, the Danish Data Protection Authority finds that there is a basis for issuing an order to the municipalities to bring the municipalities' processing of personal data in the form of passing on personal data to Google in accordance with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a, and Article 6, subsection 1, as well as being able to demonstrate this, cf. the regulation's article 5, subsection 2.
This can happen e.g. by:
that the municipalities cease to pass on personal data to Google for the purposes in question, which probably presupposes that Google develops a technical possibility for the data flows in question to be cut off, that Google refrains from processing information for these purposes, or that the Danish Parliament provides a sufficiently clear legal basis for the processing in question.
The Danish Data Protection Authority initially requests the municipalities to indicate how the municipalities intend to comply with the above-mentioned order. The Danish Data Protection Authority must request to receive this notification by 1 March 2024 at the latest.
The deadline for compliance with the injunction is 1 August 2024. The Danish Data Protection Authority must request to receive confirmation that the injunction has been complied with by the same date. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.
According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
In the period 8 September to 24 October 2022, the Data Protection Authority has notified 53 municipalities of the following orders regarding the municipalities' use of Google Chromebooks and Workspace for Education:
"The Danish Data Protection Authority gives [...] the Municipality an order to have the existing agreement with the data processor changed in such a way that the conditions mentioned in the Danish Authority's decisions of 14 July and 18 August 2022, in relation to Helsingør Municipality, as well as the material that […] Municipality has forwarded on […] 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the [contract text] that create uncertainty about the data processor's actions in addition to the rule in Article 28, subsection of the data protection regulation. 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation.
The Danish Data Protection Authority further announces […] Municipality an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack […] Municipality uses for the treatment.
The Danish Data Protection Authority further orders [...] the municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that there are – in addition to those for which the Article 36 procedure has now been requested – additional high , non-mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36.
Finally, the Danish Data Protection Authority [...] orders the Municipality to present a final time-bound plan for the legalization of any processing that has not been able to be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date date."
KL informed the Norwegian Data Protection Authority on 12 September 2023 that KL and KOMBIT represent the above-mentioned municipalities in the further processing of the cases by the authority and would therefore come up with a joint response on behalf of all affected municipalities.
KL then forwarded on 3 November 2022 documentation for compliance with the Danish Data Protection Authority's order to the 53 municipalities. On 4 November 2022, KL sent supplementary material to this.
On 4 November 2022, the Norwegian Data Protection Authority notified KL and the affected municipalities that the Norwegian Data Protection Authority's ban of 18 August 2022 was suspended until the case processing of the received material was completed. The Danish Data Protection Authority stated in this connection that the Danish Data Protection Authority expected to complete the case processing before the end of 2022.
In the subsequent period, KL became aware that, in KL's opinion, there was a need to elaborate and change parts of the material, so that the municipalities could comply with the Danish Data Protection Authority's orders to a greater extent. KL therefore requested on 2 December 2022 the Danish Data Protection Authority to wait for this additional material.
The Danish Data Protection Authority accepted KL's request and set a deadline of 23 January 2023 to forward this additional material.
On January 23, 2023, KL sent this additional material. On the basis of a meeting between the Data Protection Authority and KL, Aarhus Municipality and KOMBIT about the material, KL found that there was a need to elaborate on the submitted material. KL therefore requested on 23 March 2023 the Norwegian Data Protection Authority to wait for this elaboration.
KL stated on 16 June 2023, prompted by a reminder from the Data Protection Authority of the same date, that KL expected to send the detailed material before the end of June 2023.
On 30 June 2023, the Data Protection Authority received a combined response with 32 annexes from KL, which also stated that the collection of documents constituted the affected municipalities' documentation for compliance with the Data Protection Authority's order.
KL's response of 30 June 2023 with annex constitutes, together with the above, a complete presentation of the case. KL's response of 30 June 2023 and annexes 16 and 26 to this are attached as annexes to this decision.
3. General remarks
The Danish Data Protection Authority first and foremost acknowledges the great work that the municipalities as the data controllers have carried out with a view to complying with the Danish Data Protection Authority's orders. There is now an adequate description of which data is processed, by whom and in what role. The work of the municipalities has also led to changes in the services that the municipalities use and the contract terms under which the services are delivered.
However, the Danish Data Protection Authority emphasizes that this work should have been carried out before Google Chromebooks and Workspace for Education were put into use. The municipalities' processing of personal data prior to this work is therefore, as the Danish Data Protection Authority has previously decided, in breach of several provisions in the data protection regulation.
Where several data controllers use the same systems and carry out approximately the same processing of personal data, in the opinion of the Danish Data Protection Authority there is a significant synergy in making joint assessments of risk factors, possible impact analyzes and mitigating measures.
In addition, the Danish Data Protection Authority must encourage associations and bodies representing categories of data controllers to draw up a code of conduct in accordance with Article 40 of the Data Protection Regulation in order to specify the application of the Data Protection Regulation.
A code of conduct can provide correct and practical instructions on how to communicate
with one or more processing activities must arrange themselves to comply with the data protection rules. It can, for example, be by determining procedures to be followed for a particular treatment activity. A code of conduct will therefore be a useful tool to help comply with data protection rules for the authorities that have signed up to the code.
While joining and complying with a code of conduct makes it easier to comply with the data protection rules, it does not exempt the individual municipalities from the duties and tasks incumbent upon them as data controllers. This is particularly important in situations where the data controller chooses to deviate from the prerequisites in the common concepts and treatments, e.g. when using a system for other purposes.
3.1. About legal processing of personal data
The principle of legality in administration (the principle of legality) implies that a public authority's decisions and administration must otherwise be supported by law or another legal basis.
When it comes to the data protection rules, this principle implies that public authorities – in addition to ensuring that the authorities' own tasks are carried out in accordance with the data protection rules – must also ensure that the IT solutions that the authorities decide to use to support the authorities' tasks are within within the framework of the data protection legal regulations.
Public authorities must therefore ensure and take measures to ensure that the authorities do not design, develop or acquire and use solutions that do not comply with the data protection rules. It can, among other things, happen by the authorities setting relevant requirements in their procurement procedures and project models that ensure the procurement or development of solutions in accordance with the data protection rules. The extent of these requirements may, in the Data Protection Authority's view, vary, taking into account the nature, scope and purpose of the processing activity that the solution must support, as well as the risks for citizens that may be associated with use of the solution. In any case, these requirements must consist of more than just a single requirement for the supplier that the solution must comply with the data protection rules. The requirements can e.g. reflect the measures that the authority has deemed necessary to take on the basis of its risk assessment or impact analysis in order to ensure the legality of the solution.
Finally, the Danish Data Protection Authority notes that the functionality of the solutions that are to be used, or the market position of the supplier that is to be chosen, cannot justify a failure to comply with the data protection rules. A standardized structure of the solutions or the mere use of a standard product cannot also justify a failure to comply with the data protection rules.
4. Reason for the Data Protection Authority's decision
4.1. Mapping of data flows and distribution of roles between the municipalities and Google
4.1.1. Distribution of roles
An impact analysis regarding data protection must, cf. the data protection regulation, article 35, subsection 7, at least contain i.a. a systematic description of the planned treatment activities and the purposes of the treatment.
It is a basic prerequisite for assessing and documenting your compliance with the data protection rules that you have knowledge of and can describe which information you process, for which purpose(s) and in which role.
On the basis of the Danish Data Protection Authority's order, KL, in collaboration with Google, has mapped which roles the municipalities and Google respectively have in the municipalities' use of Google Chromebooks and Workspace for Education, as well as which personal data is processed, by whom and for which purpose(s).
Overall, the municipalities are the data controller for the processing of personal data when the municipalities use Google Chromebooks and Workspace for Education. KL has also stated that Google's role across the technology stack is as follows:
The technology stack
Data controller
Data processor
Service Data
Customer Personal Data
Service Data
Customer Personal Data
Chrome OS
Yes
Yes
No
No
Chrome browser
Yes
Yes
No
No
Chrome EDU Upgrade
Yes
No
No
Yes
Workspace for Education (incl. Chrome Sync)
Yes
No
No
Yes
KL has thus stated that Google is the data controller for any processing of personal data that takes place as part of the use of Chrome OS and the Chrome browser, and that Google is not a data processor for the municipalities in that connection.
Furthermore, KL has stated that Google is the data controller for the processing of Service Data in Chrome EDU Upgrade and Workspace for Education, and that Google's processing of Customer Data in these two products takes place as a data processor for the municipalities.
A description of the processing activities for which Google is the data controller appears in appendix 26 to KL's response (attached). The mapping also contains a detailed description of the specific information that is processed and of the specific purposes of the processing.
The Norwegian Data Protection Authority understands that Customer Data generally includes content data, e.g. documents that are handled in Workspace etc., while Service Data primarily includes derived diagnostic data about e.g. school students' use of the products.
4.1.2. Basis of agreement
The municipalities' use of Chromebooks and Workspace for Education is regulated by two agreements with Google. These are the Google Workspace for Education Terms of Service (dated September 26, 2023) and the Chrome Online Agreement (dated April 7, 2022).
The agreements include the products Workspace for Education[1] and Chrome EDU Upgrade[2], which can be seen from the above overview of the technology stack.
The agreement Google Workspace for Education Terms of Services also refers to e.g. to the Cloud Data Processing Addendum (dated September 26, 2023), which thus constitutes the data processing agreement with respect to the Workspace for Education product.
In addition, the Chrome Online Agreement refers to, among other things, to the Data Processing Amendment to Chrome Agreements (dated 16 February 2023), which constitutes the data processing agreement for the product Chrome EDU Upgrade.
In both sets of agreements, Customer Data and Customer Personal Data have specific meanings.
Service Data, which is processed as part of the use of Workspace for Education and Chrome EDU Upgrade, is defined in more detail in the Google Cloud Privacy Notice (dated 21 August 2023) and is not covered by the municipalities' agreement with Google, but is processed by Google as the data controller .
The municipalities' use of Chrome OS and the Chrome browser, see further below, is also not regulated by agreements between the municipalities and Google.
Instead, according to Google, the use of Chrome OS is governed by Google's General Terms of Service[3] and Privacy Policy[4]. The terms of service are not concluded with the municipalities, but with the individual end user, which in this case are school students (and their parents).
Correspondingly, the following appears from Appendix 26, p. 3 at the bottom:
"Today, Google acts as a data controller when providing ChromeOS and Chrome browser, for both Customer Data and Service Data. As part of providing Chrome services, Google processes personal identifiers relating to devices or end users of Chrome, which are only used for the purposes set forth in the Google Privacy Policy.”
On that basis - and on the basis of the division of roles between the municipalities and Google that KL has informed - the Danish Data Protection Authority assumes that the use of the Chrome browser is not regulated by an agreement between the municipalities and Google, but instead is regulated by Google's general terms of service and privacy policy, as is also the case for Chrome OS.
4.1.3. The purposes of processing personal data
In connection with its dialogue with Google, KL has found it necessary to clarify the basis of the agreement with Google with regard to the purposes for which Google processes the information. As part of the response of 30 June 2023, KL has forwarded a draft of the contract addendum, which clarifies e.g. for which purposes Google may process the information.
For Workspace for Education, Google will then process Customer Data as a data processor for the municipalities to provide the service and support (upon request from the municipalities). Google has also specified that Customer Data will not be processed for marketing purposes or to improve Google's products and services, including Workspace for Education.
Google is further committed to only process Service Data generated by the use of Workspace for Education as a data controller to improve and optimize the performance, reliability, core functionality, availability, data protection, security and efficiency of the IT infrastructure of (a) Google Workspace for Education and support therefor, as well as (b) Google Cloud, Google Cloud Marketplace and Google Workspace Marketplace services, provided that the municipalities use such services. Google will not process Service Data to improve or optimize other Google products or services.
For Chrome EDU Upgrade, Google will process Customer Personal Data to:
(a) to provide, secure, and monitor the Services and any TSS requested by Customer; (b) to support Customer's and its End Users' secure and compliant use of the Services; (c) as described in this Data Processing Amendment, including Sections 10 (Data Transfers) and 11 (Subprocessors); (d) as described in Section 7 (Confidentiality; Legal Process) of the Agreement, provided that any disclosure by Google or any Subprocessor with its address in the EEA complies with European Data Protection Law; and (e) as further specified via (i) Customer's compliant use of the Services (including the Admin Console and other Services functionality) and any TSS requested by Customer, and (ii) any other written instructions given by Customer and acknowledged by Google as constituting instructions under this Addendum”
KL has also stated that the Service Data that is processed as part of the Chrome EDU Upgrade is a subset of the Service Data that is processed as part of the Chrome browser.
Furthermore, KL has stated that Google is the data controller for the processing of all personal data, regardless of whether the information is characterized as Service Data or Customer Personal Data, as part of the use of Chrome OS and the Chrome browser.
The purposes of Google's processing of Service Data in Chrome EDU Upgrade, and all other personal data in Chrome OS and the Chrome browser appear in Google's privacy policy[5].
In summary, KL has stated that Google processes personal data for which the company is independently data responsible, across the technology stack for the following purposes:
Favor
Original purposes
Secondary purposes
Workspace for Education
Provide cloud services that the municipalities request
Provide recommendations on optimizing use of the cloud services
Assist the municipalities
Protect the municipalities, Google's users, customers, the public and Google
Comply with legal obligations
Maintain and improve cloud services
Provide and improve other services requested by municipalities
Chrome OS
Provide Google services
Improve the security and reliability of services
Communicate with customers
Provide personalized services (Google Sync)[6]
Comply with legal obligations
Maintain and improve Google services
Measure performance
Develop new features and services
Chrome browser
Provide Google services
Improve the security and reliability of services
Communicate with customers
Provide personalized services (Google Sync)[7]
Comply with legal obligations
Maintain and improve Google services
Measure performance
Develop new features and services
Finally, KL has described in more detail the above purposes and how personal data is processed as part of these purposes. This appears from appendix 26 to KL's response (attached).
4.1.4. The Danish Data Protection Authority's assessment
After a review of KL's response, the Danish Data Protection Authority finds that the municipalities have described what personal data is processed as part of the municipalities' use of Chromebooks Workspace for Education, as well as what roles the municipalities and Google have in the processing of the information. The description includes the entire technology stack.
The Norwegian Data Protection Authority then considers the Norwegian Data Protection Authority's order to describe the data flows that take place and describe which personal data is passed on to Google to be complied with.
The Norwegian Data Protection Authority notes, however, that the description of the data flows and the basis of the agreement that regulates the municipalities' use of Chromebooks and Workspace for Education is complex. In the opinion of the supervisory authority, this in itself entails a risk of non-compliance with the data protection rules. This is because even minor changes in the technology stack or the basis of the agreement can involve consequential changes that the municipalities can overlook.
The Danish Data Protection Authority therefore encourages the municipalities to engage in further dialogue with Google to simplify, in particular, the basis of the agreement or to ensure that the municipalities possess or have access to the necessary technical and legal competences to ensure that the data protection rules are complied with.
4.2. Dissemination of personal data
4.2.1. The Data Protection Regulation
Personal data can be processed on the basis of one of several processing bases, which can be found in the data protection regulation, article 6, subsection 1. For public authorities, processing of personal data will most often take place because it is necessary to comply with a legal obligation, cf. Article 6, paragraph 1, letter c, or because the processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, cf. Article 6, subsection 1, letter e.
In both cases, the processing must have a so-called supplementary legal basis, which obligates or entitles the authority to carry out a specific authority task. It follows from the data protection regulation's article 6, subsection 3.
4.2.2. Requirements for the supplementary legal basis
Article 6 of the Data Protection Regulation, subsection 3, contains several requirements for the supplementary legal basis, which must therefore meet certain criteria.
Firstly, it is required according to Article 6, paragraph 3, 1st point, that the basis for the processing must appear from EU law or national law.
It appears from preamble consideration no. 45 that the data protection regulation does not imply that a specific law is required for each individual processing pursuant to Article 6, subsection 1, letter e. A law may be sufficient as a basis for several data processing activities. However, there is a requirement that processing according to the provision takes place on the basis of EU law or national law. Furthermore, it follows from preamble no. 41 to the data protection regulation that the legal basis in question does not necessarily require a law, but that the legal basis should be clear and precise, and the scope should be predictable for persons covered by the scope of the legal basis.
From the Ministry of Justice's report no. 1565/2017, p. 132f., the following appears about the regulation's article 6, subsection 1, letter e:
"In this connection, it must be assumed that Article 6, subsection 1, letter e, is directly applicable as a basis for processing, as long as the data controller performs a task in the interest of society or which falls under the exercise of public authority, which the data controller has been assigned. The use of Article 6, subsection 1, letter e, as a basis for processing, thus does not require national, implementing legislation on the actual processing of personal data in connection with the performance of tasks in the interest of society or as part of the exercise of public authority.
The use of Article 6, subsection 1, letter e, does not necessarily require that the task, which requires the processing of personal data, is expressly assigned to the authority in the legislation. In this connection, reference can be made to [The Danish Data Protection Authority's statement in the case with j.no. 2004-54-1394], where the inspection found it natural that the Ministry of Education, as the central authority in the area, solved a task regarding digital registration for and application for admission to education programs, even though there was no express legal authority that assigned the task to the ministry. The ministry could therefore use i.a. § 6 pieces. 1, no. 5, in the Personal Data Act on processing that is necessary for the performance of a task in the interest of society.”
In addition, the following appears from p. 160 of the report on the regulation's article 6, subsection 3:
"It also follows from the regulation's article 6, subsection 3, 2nd point, specifically regarding processing referred to in Article 6, subsection 1, letter e – i.e. for the purpose of carrying out a task in the interest of society or which falls under the exercise of public authority - that the processing must be "necessary for the performance of a task in the interest of society or which falls under the exercise of public authority". Here, too, it must be sufficient for the fulfillment of this requirement of necessity that it can be derived from the relevant national law with its preamble, on the condition that the processing is actually "necessary".
In Article 6, subsection 3, last indent, there is an additional requirement for the legislation that adapts the application of the data protection regulation. There is a requirement that the national law of the Member States must fulfill an objective in the interest of society and be proportionate to the legitimate aim pursued. The Data Protection Regulation thus establishes a requirement for proportionality and observance of the public interest in connection with national law and EU law, which adapts the application of the Data Protection Regulation.”
In connection with the Ministry of Justice's national evaluation of the data protection rules in April 2021, the Danish Data Protection Authority stated, among other things, the following in a contribution to the ministry:
"The provisions in the regulation's article 6, subsection 2 and 3, implies, firstly, that the processing – in order to be able to take place in accordance with 6, subsection 1, letter e – must appear from EU law or the national law of the Member States. This means that the application of Article 6, subsection 1, letter e, requires that the processing is provided for in EU law or national law, but not necessarily that there is national implementing legislation on the processing itself. […]
In other and the vast majority of cases, however, the special legislation will not contain specific requirements for the processing of personal data or otherwise prescribe specifically whether and which personal data must be processed. Processing of personal data will, however, typically be a prerequisite for the authority to be able to solve the tasks prescribed by legislation. This could, for example, be an authority's assessment of a citizen's right to social benefits according to the social legislation or legislation on the authority's tasks in the area of children and schools.
When processing according to the regulation's article 6, subsection 1, letter e, can be considered necessary, must in these cases be held up against the tasks and obligations that the authority has in accordance with the legislation that regulates its work. Similarly, in relation to the requirement of necessity, which follows from the regulation's article 5, subsection 1, letter c.
In this connection, it is important to emphasize that the data protection rules are not intended to stand in the way of or make it difficult for public authorities to carry out their tasks. The data protection rules, including the requirement of necessity, do not therefore imply that public authorities must, at all costs, organize their task performance in such a way that as little personal data as possible is processed, if this would prevent the authority from fulfilling its tasks in the manner intended by the legislation.
The data protection legal requirement of necessity, on the other hand, is flexible and gives the data controller – in this context public authorities – the opportunity to assess what is relevant and factual in the individual case, i.e. necessary for the authority to carry out its tasks in the manner intended by the legislation. In this connection, it is also important to keep in mind that the authority which is required by law to carry out a task, in the nature of the matter, has the best prerequisites for assessing what is factual and relevant to solve the task, as it it is precisely the authority in question that has the most knowledge of how any sector-specific legislation is implemented in practice.
It will thus be within the framework of the data protection regulation, Article 6, subsection 1, letter e, if the authority can point to a legal basis as the reason for the processing, and if the processing is not – based on a general consideration – unnecessarily intrusive for the data subject, e.g. because the processing is solely a practical way for the authority to fulfill its purpose, which does not take into account the data subject.
In other words, public authorities have quite a broad framework for assessing which processing of information is necessary to carry out the authority's tasks in accordance with the legislation.”
Finally, the European Court of Justice states the following in its judgment of 24 February 2022 in case C-175/20[8]:
"In this regard, it is nevertheless noted that the legislation which forms the basis for the processing, in order to meet the requirement of proportionality, as Article 5, paragraph 1, letter c), [...] is an expression of [...], must lay down clear and precise rules that regulate the scope and application of the measure in question, and that set minimum requirements, so that the persons whose personal data are affected have adequate safeguards that enable this information to be effectively protected against the risk of misuse. This legislation must be legally binding in national law and, in particular, indicate in what circumstances and under what conditions a measure on the processing of such information can be adopted, thereby ensuring that the intervention is limited to what is strictly necessary”
The requirement for the clarity of the legal basis in question thus generally depends on how intrusive the processing of personal data that takes place in the solution will be for the citizen. If it is a completely harmless treatment, the requirements will be less than if it is an intrusive treatment, where greater demands are placed on the clarity of the legal basis.
4.2.3. The Public Schools Act
The municipalities' authority tasks in the school area appear in the Folkeskole Act [9]. Of the act's section 1, subsection 1, and § 2, subsection 1, the following appears:
"§ 1. The folk school, in cooperation with the parents, must give students knowledge and skills that: prepare them for further education and make them want to learn more, make them familiar with Danish culture and history, give them an understanding of other countries and cultures, contributes to their understanding of man's interaction with nature and promotes the individual student's versatile development. […]
"§ 2. The municipal board is responsible for the primary school, cf. however § 20, subsection 3, § 44 and § 45, subsection 2, 2nd point The municipal board is responsible for ensuring that all children in the municipality have the right to free education in primary school.”
In addition, the following follows from section 5, subsection of the Act. 1 and 2:
§ 5. The content of the teaching is chosen and organized so that it gives the students the opportunity for professional immersion, overview and experience of contexts. The teaching must give students the opportunity to acquire the cognitive and working methods of the individual subjects. In interaction with this, the students must have the opportunity to use and develop the acquired knowledge and skills through teaching in cross-cutting subjects and issues.
PCS. 2. Teaching in grades 1-9. class is given within 3 subject blocks and includes for all students: […]”
From the preparations for the provision (Folketingstidende 1992-93, appendix A, bill of 22 April 1993, sp. 8939) the following appears:
"For all the subjects in the three groups, you must be aware that computing must be integrated, as described in the teaching guide for the compulsory subject computer computing under the current law and in the supplements to the subjects' curricula that are and have been sent out by the ministry In recent years. Integration of computers provides an opportunity for the development of the subject's subjects, concepts and methods, and examples of this will be included in future teaching guides."
In this context, the following appears from the preparatory work for section 7 of the act (a. st., sp. 8943), which lays down compulsory subjects that must be included in teaching in primary school:
"Computer science is proposed to be abolished as a compulsory subject, as it is assumed that the content is integrated into the compulsory subjects at the youngest grade levels. In this way, all students gain a basic understanding of the concepts and methods of information technology and a knowledge of where computers can be used to advantage in the subjects. This knowledge must form the basis for the general integration of computers in the subjects, cf. here also the comments to section 5 of the bill."
This is also apparent from Section 18, subsection of the Folkeskole Act. 1, which i.a. deals with the choice of teaching aids:
"The organization of the teaching, including the choice of teaching and working methods, methods, teaching materials and material selection, must in all subjects meet the primary school's purpose, goals for subjects and subjects and be varied so that it corresponds to the needs and prerequisites of the individual student."
Furthermore, section 19, subsection of the Act states 1, the following:
"The necessary teaching aids must be made available free of charge to the students. However, this does not apply to instruments and equipment that are used for teaching during free time according to § 3, subsection 6, and which the students take home for their own use.”
From the preparations for the provision (Folketingstidende 1992-93, appendix A, bill of 22 April 1993, sp. 8956) the following appears:
"As a result of the fact that computing has moved from being a compulsory subject to being an integral part of the subject's content, it is assumed that the ongoing development of equipping schools with information technology teaching aids and giving teachers the necessary educational background continues, so that the intentions whether the full integration of IT can be realized within the next few years."
The introduction of computer science as a compulsory subject took place by Act No. 435 of 13 June 1990. To support the introduction of the subject as a compulsory subject, the Ministry of Education prepared - as stipulated in the preparations for the provision (Folketingstidende 1989-90, appendix A, bill of 14 March 1990, sp. 5194) – an indicative curriculum and teaching guide. The curriculum and the teaching guide state the following about the purpose of the IT subject:
"Purpose of the compulsory subject computing
- students must be familiar with using hardware and software.
– the students must acquire knowledge of how the computer is used in communication and problem-solving processes.
– students must acquire knowledge of how the use of computers affects communication and problem-solving processes.
Notes on the purpose
People have always communicated with each other using sounds, images, writing etc. In many of these communication processes they have used tools, e.g. pencil, brush, typewriter and telephone. Such tools will always have an impact on how people communicate with each other. The same is true when we solve problems.
The use of computers is now so widespread that one can rightly claim that it is a tool that everyone will come to use. Many other tools focus largely on physical processes. This is not the case with computers, as this tool predominantly supports processes of an intellectual nature.
It is therefore extremely important that people are able to appropriately involve computers in communication and problem-solving processes. At the same time, this will be an essential prerequisite for being able to behave in a society where democratic decision-making processes and ways of dealing are a matter of course. There are therefore certain prerequisites that all citizens must possess, and which must therefore be part of general education in line with, for example, being able to read, write and calculate.
The purpose of the teaching in computing includes 3 aspects:
– the operating aspect, which relates to general operating skills as well as knowledge of the general principles of how the computer works. The teaching must result in the students becoming familiar with working at a computer, and that through this they can build up appropriate images of how hardware and software work and interact. This is specified in the teaching courses.
– the conceptual aspect, which relates to knowledge of the concepts and methods used when the computer is used for communication and problem solving. The teaching must result in the students becoming especially aware of the common features in the form of concepts and methods found in virtually all computer applications. Such attention will help to create structure in the students' computer knowledge.
– the importance aspect, which relates to knowledge of the importance for the process that the computer has when it is used in connection with people communicating or solving problems. The teaching must result in the students being aware of whether the use of computers in these processes changes conditions and results when they later use the computer.
It is important to emphasize that the main aim of the teaching is to ensure that the students have opportunities to act in situations of use. Students only have such options if the use of computers is not dominated by technical problems or by the students' lack of knowledge of basic computer concepts and methods (cf. section "Characterization of computer education"). The teaching must therefore contribute to the students being able to use computers in an appropriate way.
It must be further emphasized that it is important that students gain knowledge that the computer can be used to solve many different tasks through the user's choice of different programs. This means that the computer is one of the most flexible tools at our disposal, and that we can often be forced to choose whether and, if so, how we want to use the computer. In many areas, starting to use computers will mean major changes compared to the use of previous technology: completely new possibilities can be opened up, but new limitations can also appear compared to what was previously possible.”
4.2.4. The digitization strategy 2011 to 2015
In its analysis and assessment, KL has repeatedly referred to the joint public digitization strategy 2011 to 2015, which was drawn up in August 2011 by the then government, the municipalities and the regions.[10]
The use and development of digital learning tools was a focus area in this strategy, where it is emphasized in several places that the primary school must keep up with the times. KL has below referred to appendix 3.1.a to the strategy, of which i.a. the following appears:
"In connection with the financial injection, there is a need for a discussion with the industry for digital teaching aids about how they can be committed to working for a development that supports some of the visions described above. Among other things, it can be discussed how it can be promoted that private actors contribute to translating and adapting tested foreign digital teaching aids to Danish conditions with a view to sales."
KL has also referred to appendix 3.4 to the strategy, of which i.a. the following appears:
"A prerequisite for the investment in IT to be successful is that IT is integrated into the development of new teaching and learning methods, so that traditional teaching is not simply continued with the power on". There is therefore, through experiments and research, a need to generally raise the level of knowledge about how to most effectively increase students' learning academically and socially with the help of IT tools, including knowledge about how teachers can organize and support teaching using digital teaching aids and digitally based learning courses.”
Finally, KL has referred to the agreement between the government and KL on the municipalities' finances for 2012. This includes, among other things, following:
"Strengthened use of IT in the primary school
Digital learning processes are part of many primary schools today, but a more fundamental change is needed. It is therefore part of the joint public digitization strategy that in the coming years the focus is on a strengthened use of IT, so that it becomes an integrated part of teaching in primary schools.
It must contribute to strengthening the students' professionalism and equip them better for future educational and job opportunities, support a more targeted organization of teaching and enable better resource utilization in the primary school.
The government and KL have therefore agreed on an ambitious effort, where the government has made reservations
DKK 500 million from the Foundation for Welfare Technology to over the coming years to:
Contribute to developing the market for digital teaching aids, including stimulating a large range of quality products. Support effective distribution channels that ensure easy and clear access to digital teaching aids, including providing access to digital learning objectives. Contribute to the dissemination of experiences from experimental and research projects, including providing limited support to demonstration schools, so that the development of IT-based forms of learning is focused on areas and subjects where the effect is greatest.
The government and KL agree that the funds will be disbursed according to the principles described in appendix 2. Any contributions to the purchase of learning materials are co-financed by the municipalities, at least equivalent to the state share.
In order to enable the transition in the area, it is included in the agreement that the municipalities will, within the current investment framework, ensure that all pupils have access to the necessary IT infrastructure in the form of stable and secure wireless networks with sufficient capacity, secure storage, power supply, etc.”
4.2.5. The Danish Data Protection Authority's assessment
In the Data Protection Authority's view, public authorities, as stipulated in the data protection regulation, the preamble considerations thereto, as well as the Ministry of Justice's report no. 1565/2017, have broad access to process personal data when necessary for the performance of their official duties.
The Danish Data Protection Authority recognizes that the above-mentioned "necessity requirement" is flexible and gives public authorities a wide margin to assess what is relevant and factual in the individual case, i.e. necessary for the authority to carry out its tasks in the manner intended by the legislation.
The question then is to what extent the municipalities can extend this flexibility to include the use of teaching and learning resources, which through their structure and delivery model imply that the municipalities pass on personal data to another independent data controller, the supplier of the learning resources – here Google – for use by (i) delivery and (ii) improvement of the learning resources and (iii) development of new functions and services.
Initially, the Danish Data Protection Authority notes that KL has stated that the assessment of whether the municipalities have the right to pass on personal data to Google must be carried out in two stages. Firstly, it is assessed whether the municipalities have the right to pass on personal data to Google for use in providing the service. Next, it is assessed whether the municipalities have ensured that Google can legally receive and process the personal data for other purposes, including the development of new functions and services, in accordance with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a.
The Danish Data Protection Authority is of the opinion that the assessment of whether the municipalities are authorized to pass on personal data to Google must be carried out in the light of all the purposes for which the data is to be processed. The municipalities must therefore assess whether there is authority to pass on personal data for use in the provision of the service and for other purposes, including the development of new functions and services. It includes all the purposes for which the municipalities are aware at the time of disclosure that the information will be processed.
The Norwegian Data Protection Authority refers in particular to the Norwegian Data Protection Authority's decision vis-à-vis Helsingør municipality of 18 August 2022. This includes, among other things, following:
"The information cannot therefore legally be passed on to other data controllers for use for their purposes, when it is a question of purposes that are not provided for in the Primary Schools Act. This also includes the processing of personal data that may occur when students use the equipment and software.
It is the opinion of the Danish Data Protection Authority that the processing of personal data, which is provided for in the rules of the Folkeskole Act on compulsory education, and thus can take place in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter e, does not include that the information may be disclosed to other independent data controllers, including for use for purposes such as further development of technology suppliers' applications, etc. The Danish Data Protection Authority is of the opinion that the disclosure of personal data by public authorities to private data controllers generally requires a separate authorization when it is a question of purposes that lie outside the official tasks that the public authority is required to carry out.
The municipalities cannot therefore first assess whether there is authority to pass on personal data for certain purposes (delivery of the service) and then assume that the other purposes (development of new products, etc.), for which the personal data is also processed, must be assessed as Google's own further processing of the personal data for other purposes according to the Data Protection Regulation, Article 6, subsection 4, and subsection 1.
In this connection, the Danish Data Protection Authority attaches particular importance to the fact that this is processing that is determined in the basis of the agreement and required for the execution of the processing, and the situation cannot therefore be equated with the situation where a third party, after a disclosure, as an independent data controller subsequently chooses to use personal data for new own purposes.
KL has generally stated that it is stipulated in the Primary Schools Act that computers and digital learning aids must be fully integrated into teaching, and that the joint public digitization strategy for 2011 to 2015 focuses on working together with the industry for digital teaching aids for greater integration of digital learning aids in teaching, including the development of new teaching and learning aids.
KL has stated in detail that when using digital tools it is necessary to use technical data to continuously develop and improve the tools. The municipalities would over time get out-of-date products if the suppliers did not continuously improve and develop the tools. The development of digital teaching aids has taken place continuously, as required by the Primary Schools Act, the joint public digitization strategy 2011 to 2015 in the primary school area and the financial agreement. In KL's view, the teaching in the primary school will not meet the requirement in the Primary Schools Act for full integration of computers or digital teaching aids in teaching, if these teaching aids are not continuously matured through development, updating and improvement.
Finally, KL has stated that it appears from the joint public digitization strategy 2011 to 2015 that "the purpose of the digital learning processes is that they must strengthen the students' professionalism and prepare them better for the future."[11] In KL's view, this will not be possible to prepare students for the future with yesterday's digital learning tools. In this connection, it is not unexpected for the municipalities that the products they purchase improve and develop. It is also a wish for the municipalities that the products keep up with the times.
As stated in the Danish Data Protection Authority's decision of 14 July 2022 vis-à-vis Helsingør Municipality, the municipalities, as part of their responsibility for the primary school, have the right and duty to organize the teaching so that it meets the purpose of the primary school and the objectives for the individual subjects. It includes i.a. choice of teaching and working methods, teaching materials, etc. This follows from Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1.
In the Danish Data Protection Authority's view, these provisions also entail a certain access to processing personal data when necessary as part of the municipalities' choice of teaching and learning resources.
The majority of the information that Google receives and processes for its own purposes as part of the municipalities' use of Google Chromebooks and Workspace for Education is metadata about the individual student's use of the tools. It includes i.a. information about the computer's settings, information about the use of the tools, the applications, the Chrome browser, etc.
Google has informed KL that the purpose of processing this information can generally be divided into (i) original purposes and (ii) derived purposes. According to Google, the original purposes are inextricably linked to Google's provision of the tools and services in question to the municipalities. All personal data in question is received and processed initially for this purpose. In addition, the derived purposes enable Google to deliver value to customers and end users with respect to their use of the tools and services in question and otherwise fulfill Google's obligation as the data controller.
As far as the derived purposes are concerned, Google has stated that it i.a. includes (i) maintaining and improving the Google Workspace for Education service, Chrome OS and the Chrome browser, (ii) measuring the performance of Chrome OS and the Chrome browser, and (iii) developing new features and services in Chrome OS and The Chrome browser.
Google has also explained how the company processes the information for these derived purposes:
"When processing for these purposes, Google engineers do not use (and have no interest in using) personal data about specific end users or administrators at an individual level. Google has no interest in (for example) understanding whether and how a specific user uses a specific tool in one of its services, but Google does have an interest in understanding whether and how Google's users in general, on an overall level, use that tool . This means that Google's staff do not access or use any specific identifiers […] relating to any end user when processing for these purposes.
For example, in the context of ChromeOS, Google has no interest in processing an end user's specific device ID or serial number in order to "measure performance", but Google has an interest in processing large datasets of numbers of managed devices per country, regions , licenses, feature usage and failure rates etc keyed to a pseudonymous ID to understand the revenue distributions and generate insights of areas where Google needs to improve and – as such – “measure performance”.”
The Danish Data Protection Authority assumes that the municipalities, as part of their use of Chromebooks and Google Workspace for Education, process and pass on personal data to Google, and that this data is only processed for the original purposes and the derived purposes stated by KL.
Furthermore, the Danish Data Protection Authority assumes that the information with regard to the derived purposes is only processed for the development and improvement of services that the municipalities have purchased, and that Google does not process this information - or other information such as content data - for marketing purposes.
On the basis of the above-mentioned amendments to the Primary School Act, the Danish Data Protection Authority finds that it must be considered to have been the intention of the legislator that computers should form an integral part of the primary school. This has particularly come to the fore with the introduction of IT as a compulsory subject, where students had to gain knowledge of how IT could be used in communication and problem-solving processes, and how the use of IT affects such processes. Since then, the integration of computing has been expanded, as the compulsory subject was abolished, and computing became an integrated part of all primary school subjects.
The Norwegian Data Protection Authority also recognizes that over a number of years there has been a development in how IT systems and services are delivered. Since the 1990s, there have been significant changes in both architecture and functionality as well as the delivery model. Today, it is much more the norm for the suppliers of IT systems and services to collect and measure information about the use of the systems. This is done with a view to utilizing the full functionality of the solutions as well as continuously improving what is delivered and is to a large extent facilitated by the spread of the Internet and the increasing amount of computing power that is available.
The Danish Data Protection Authority notes, however, that this development has not necessarily taken place with the necessary focus on the data protection rules and consideration for the individual citizen. Although in Denmark, since the introduction of the Personal Data Act in 2000, there have been almost identical requirements for the legal processing of personal data, the data controllers have not made the necessary demands on their suppliers of IT systems and services, which ensured that the development in how IT services is delivered, took place within the framework of the data protection rules.
Overall, the Danish Data Protection Authority finds that there is no basis for overriding the municipalities' assessment that, as part of the municipalities' choice of teaching and learning materials in primary schools, it is necessary to process and pass on personal data to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) provision of and (ii) improvement of the security and reliability of the services in question, etc. ("the original purposes"), cf. the data protection regulation, article 6, subsection 1, letter e, cf. Article 6, subsection 3, and Section 2, subsection of the Folkeskoleoven. 1, and § 18, subsection 1. It includes i.a. processing of personal data for the purpose of providing the services, improving the security and reliability of the services, communication with e.g. the municipalities and compliance with legal obligations.
In this respect, the Danish Data Protection Authority has particularly emphasized that the purposes in question are inextricably linked with Google's delivery of Google Chromebooks and Workspace for Education to the municipalities, which must also be seen in the light of technological development and the development of how IT services are delivered Today.
In addition, the Danish Data Protection Authority recognizes that further development of the teaching and learning resources that the municipalities have decided to use in primary schools is necessary to ensure that the learning resources reflect the current times, so that students can learn to deal with the issues and challenges of today and the future with up-to-date and modern tools.
However, it is the Danish Data Protection Authority's assessment that the municipalities do not, within the framework of Section 2, subsection of the Folkeskole Act. 1, and § 18, subsection 1, cf. the data protection regulation, article 6, subsection 1, letter e, may process and pass on personal data about school students to Google as part of the use of Google Chromebooks and Workspace for Education for use in (i) maintenance and improvement of the Google Workspace for Education service, Chrome OS and the Chrome browser, ( ii) measuring the performance of Chrome OS and the Chrome browser, and (iii) developing new features and services in Chrome OS and the Chrome browser (“the Derivative Purposes”).
The Danish Data Protection Authority places special emphasis on the fact that these derived purposes not only cover the development of the specific teaching and learning resources that the municipalities purchase, but also the general development of Google's products, e.g. Chrome OS and the Chrome browser. These products are not supplied exclusively to the municipalities, but are generally offered on the market, and further development thus benefits the market position of these products and the supplier in the broadest sense. Furthermore, the Danish Data Protection Authority has emphasized that this development takes place on the basis of personal data about school students, which is collected as part of their use of the learning resources that the school students are obliged to use, regardless of the fact that this personal data is aggregated into general usage patterns.
Although it can be said that this is a less intrusive processing of personal data, as the information is pseudonymised and aggregated, which is why the requirements for the necessary legal basis are lower, and regardless of the flexibility that, in the opinion of the Danish Data Protection Authority, is found in Article 6, paragraph 1 of the Data Protection Regulation. 1, letter e, and the "necessity requirement" that appears in the provision, in the opinion of the Data Protection Authority, it does not appear that the necessary basis for the municipalities' disclosure of information for the purposes in question can be found in the relevant provisions of the Folkeskole Act.
Thus, it does not appear to be clear either from the wording of the primary school or the preparatory work that it is a necessary part of or a prerequisite for the municipalities' task resolution in accordance with the Primary Schools Act that the municipalities pass on personal data about school pupils to the supplier of teaching and learning materials for the purpose of the supplier's general further development of its IT products using this information. It follows neither from a natural understanding of the law's provisions on how computers were originally to be integrated in the primary school – and then in the individual subjects – nor from the curriculum and teaching guidance on the computer subject and its purpose.
Thus, it does not appear that it has been the intention of the Danish Parliament that the general further development of the teaching and learning resources that the municipalities decide must be used in primary schools must be able to take place by passing on personal data about school pupils who use the teaching and learning resources in question learning aids, to third parties, including the supplier thereof. Furthermore, it does not appear in any way that the Folketing has generally anticipated the technological development that has taken place since the adoption of the provisions in question in the Folkeskole Act in 1993.
It cannot lead to a different result that, in addition to the Folkeskole Act and the preparations for this, KL has referred to the joint public digitization strategy 2011 to 2015 and the financial agreement between the municipalities and the government from 2012. None of these can be considered to be an expression of the legislator's intention to , which tasks and obligations the municipalities have according to the primary school, and how these must be carried out.
Finally, the Danish Data Protection Authority notes that the considerations mentioned do not appear to be an isolated problem in relation to the Folkeskole Act. The Danish Data Protection Authority therefore calls on the legislature to take a clear position going forward on the extent to which personal data about citizens as part of the social contract can or must be passed on in cases such as the one in question, including particularly in public-private collaborations.
The Danish Data Protection Authority therefore finds grounds to notify the municipalities of an order to bring the municipalities' processing of personal data in the form of passing on personal data to Google in accordance with the data protection regulation's article 5, subsection 1, letter a, and Article 6, subsection 1, as well as being able to demonstrate this, cf. the regulation's article 5, subsection 2.
This can happen e.g. by:
that the municipalities cease to pass on personal data to Google for the purposes in question, which probably presupposes that Google develops a technical possibility for the data flows in question to be cut off, that Google refrains from processing information for these purposes, or that the Danish Parliament provides a sufficiently clear legal basis for the processing in question.
The Danish Data Protection Authority initially requests the municipalities to indicate how the municipalities intend to comply with the above-mentioned order. The Danish Data Protection Authority must request to receive this notification by 1 March 2024 at the latest.
The deadline for compliance with the injunction is 1 August 2024. The Danish Data Protection Authority must request to receive confirmation that the injunction has been complied with by the same date. The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.
According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.
5. Concluding remarks
Based on the nature of the case, the Danish Data Protection Authority has decided to inform the Danish Parliament's Legal Committee and the Committee for Digitization and IT as well as the Ministry of Justice and the Ministry of Children and Education about the case.
As far as the other questions in the case are concerned, the Norwegian Data Protection Authority notes that the Norwegian Data Protection Authority continues to process these and expects to continue processing in parallel with the municipalities' compliance with the above-mentioned order.
[1] C-175/20, Valsts eizumenu dienests, paragraph 83.
[2] Legislative Decree No. 1086 of 15 August 2023 on the primary school.
[3] The digitalization strategy 2011 to 2015 with annexes can be accessed here: https://digst.dk/strategier/den-faellesoffentlige-digitaliseringsstrategi/tidligere-strategier/digitaliseringsstrategien-2011-til-2015/
[4] The digitalization strategy 2011 to 2015, Focus area 3 – Folkeskolen must challenge the digital generation, p. 22.
[5] Google has stated that the provision of personalized services "is a purpose under the Google Privacy Policy that applies to processing via Chrome Sync, except when the customer uses that service as part of Workspace for Education (in which case, the Google Privacy Policy, including this purpose, will not apply to that processing, and the Google Cloud Privacy Notice will apply instead). As we understand that all of the relevant Danish municipalities will use Chrome Sync as part of Workspace for Education, this processing purpose will not be applicable to their end users.”
[6] See note 6.
[7] See the definition of Services in s. 15.19 in the Google Workspace for Education Terms of Service
[8] See the definition of Chrome Services in s. 15 of the Chrome Online Agreement.
[9] Google Terms of Service (dated January 5, 2022): https://policies.google.com/terms
[10] Google Privacy Policy (dated October 4, 2023): https://policies.google.com/privacy
[11] Google Privacy Policy (dated October 4, 2023): https://policies.google.com/privacy
